Operating System Security - PowerPoint PPT Presentation

About This Presentation

Title:

Operating System Security

Description:

uid is systems real name for user. integer 0 ... 65536 (varies ... Desired for some system purposes ... kern, user, mail, lpr, auth, demon, news, uucp, ... – PowerPoint PPT presentation

Number of Views:44

Avg rating:3.0/5.0

Slides: 37

Provided by: timshi

Learn more at: https://www.andrew.cmu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Operating System Security

1
Operating System Security
2
Users

UNIX user -gt username -gt uid
uid is systems real name for user
integer 0 ... 65536 (varies in some systems)
mapping is in /etc/passwd
shimeall500320Tim/users/shimeallcsh
More than one username may map to a uid
Desired for some system purposes (program
tracking)
Problem for ordinary users (confused file
ownership)
Security problem (hacker makes duplicate uid
account)
Temporary uid change su

3
Groups

User - one or more groups
Group - zero or more users
Used for file permissions
Defined by /etc/groups and network sharing
software
ypcat group.byname
gid - integer system name for group (generally
unique)
Listed for individual users with groups
Change group of file with chgrp
chgrp newgroup myfile

4
SETUID and SETGID

Special mechanisms temporarily use a uid or gid
during the execution of a program)
Part of mode bits
s in user x field - setuid
s in group x field - setgid
To be effective, both s and x must be set
chmod ax myprog
chmod us myprog
chmod 4755 myprog
WARNING Lots of subtle security holes!

5
Dangerous Accounts

root superuser
open, guest, play, nobody - courtesy accounts
Accounts without passwords
uucp, sync, pspq - single-command accounts
Group accounts

6
User Policy

Restricting access
commands
file access
login times
network access
terminal access
Inactive users
Detection
Password change
Locking (change shell)
Deletion (after backup)
Ultimately - need multilevel security

7
Multilevel Security

Users with different needs to know sharing
computer or network
If dont need to know shouldnt even be able to
determine if information exists
Should be able to filter functionality based on
allowable information
Mandatory and Discretionary protections

8
Monitor Model

General Schema
Takes user's request.
Consults access control information.
Allows or disallows request.
Advantages
Easy to implement.
Easy to understand
Disadvantages
Bottleneck in system
Controls only direct accesses (not inferences)

9
Graham-Denning Model

Introduces protection rules that operate on
A set of subjects S
A set of objects O
A set of rights R
An access control matrix

Subjects S1 S2 O1 O2
s1 Control Read Owner read
s2 Control Owner
10
Graham-Denning Rights

Eight primitive protection rights
create, delete object
create, delete subject
read, grant, delete, transfer access right

11
Military Security Model

Information is ranked
Unclassified
Confidential
Secret
Top Secret
Least Privilege Subject should have access to
fewest objects needed for successful work
The system backup program may be allowed to
bypass read restrictions on files, but it would
not have the ability to modify files.
Need to Know

12
Compartmentalization

Information may belong to one or more
compartments
Compartments are used to enforce need-to-know.
Classification of Information ltrank
compartmentsgt
Clearance ltrank compartmentsgt
an indication of a level of trust
A subject can access an object only if
The clearance level of the subject is at least as
high as that of the information.
The subject has a need to know about all
compartments for which the information is
classified.

13
Information Flow Models

Acts as an intelligent filter to control the
transfer of information permitted by access to a
particular object.
Information flow analysis can assure that
operating system modules that have access to
sensitive data cannot leak that data to calling
modules.

14
Bell-LaPadula Model

A formal description of the allowable paths of
information flow in a secure system.
Applies only to privacy
Identifies paths that could lead to inappropriate
disclosures.
Is used as the basis for the design of systems
that handle data of multiple levels.
Includes both discretionary and mandatory access
rules
B-LP Discretionary Access Control
Uses Access Matrix similar to Graham-Denning
Model
Includes functions for dealing with the access
matrix.

15
Bell-LaPadula Mandatory Controls

Fixed security classes for each subject and each
object
Security classes ordered by a relation
Tranquility constraint prevents access classes of
objects from changing
Simple Security Property
Property

16
Bell-LaPadula Properties

Simple Security Property
Subject may have read access only if object
classified at same level or lower.
- Property
Subject may have write access only if all objects
read are at same level or higher than object to
be written.

17
Biba Model

Concerned with integrity rather than secrecy.
Defines integrity levels much like sensitivity
levels.
Fixed integrity classes for each subject and each
object
Ordered integrity classes

18
Biba Properties

Simple Integrity Property
Subject can modify object only if integrity class
at least as high as the object. (untrusted
subjects reduce integrity class when writing)
- Property
Subjects may have write access only if the
integrity of objects they are reading is at least
as high as the object to be written. (untrusted
sources reduce integrity of results)

19
Integrity Preservation

A high integrity file is one whose contents are
created by high-integrity processes.
high-integrity file cannot be contaminated by
information from low-integrity processes.
high-integrity process cannot be subverted by low
integrity processes or data.
The integrity class label on a file guarantees
that the contents came only from sources of at
least that degree of integrity.

20
Secure Operating Systems

Basic Features of a Multiprogramming OS
Authentication of users.
Protection of memory.
File and I/O device access control.
Allocation and access control to general objects.
Enforcement of sharing.
Guarantee of fair service.
Interprocess communication and synchronization.
Basic Considerations
Security must be considered in every aspect of
the design of operating systems.
It is difficult to add on security features.

21
Basic Design Principles

Least privilege - fewest possible privileges for
user.
Economy of mechanism - small, simple, straight
forward.
Open design
Complete mediation - check every access
Permission based - default is denial of access.
Separation of privilege - no single super user.
Least common mechanism - avoid shared objects.
Easy to use.

22
Security Kernel

Responsible for implementing the security
mechanisms of the entire operating system.
Provides the security interfaces among the
hardware, the operating system, and the other
parts of the computing system.
Implementation of a security kernel
May degrade system performance (one more layer).
May be large.
No guarantees.

23
Backups

First line of defense against denial-of-service
and modification threats
Dont depend on system backups for important data
User backups
Administrator backups
Day-zero backup
Upgrade backup
Full backup
Incremental backup

24
Backup Policy

One backup volume per partition
Time backup for restoration
How much work are we willing to lose?
Verify backup at archive location
Content - not just format
Ensure operator training
Ensure archive environment
Rotate media
Need more than most recent backup
Maintain physical security on backups
Maintain logical security on backups
Be careful about legal issues on backups

25
Integrity

Compromise of integrity equal to compromise of
privacy
Integrity threats
Change permissions to allow modification/reading
Change password file
Change device / interface configurations
Move files
Replace system programs with substitutes
Replace log files with sanitized versions
95 of UNIX security incidents result of
misconfiguration

26
Integrity Protection Strategies

Prevention
Detection
Recovery

27
Unix Operation Modes

Normal Operating Mode
Any user login
Diverse command set
Network operations
Import and export files
Single User Mode
Intended for system maintenance / full backup
Only root login allowed
Restricted command set
No network operations
No file import/export

28
Prevention Strategies

Software Controls
File permissions
Directory permissions
Restrictions on root access
Low-level operating system controls
Immutability - only change in single-user mode
append - only add to file, except single-user
mode
Hardware controls
Read-only file systems (CD ROM, WORM)
Write-protect options

29
Detection Strategies

Comparison copies
On read-only media
On standard media, remote storage
Large space, slow, expensive
Metadata
Stored list of files
Path to files
Modification times
Easy to fool
Digital Signature
Encrypt with private key of modifier
Fast, small, hard to fool, requires extra work

30
TRIPWIRE

System to compute signatures on all files in
system
Batch mode - compare against stored signatures
report differences
Interactive mode - compare against stored
signatures confirm updates
Both commercial and freeware products
Detects
Corrupted file systems
Unlogged administrator actions
Replacement of system programs

31
Recovery Strategies

Restore from backup - Rollback (Data Loss)
If data problem, may be able to replay changes -
Selective Rollback (some data loss)
If redundant file system, vote file versions -
Masking
If specific changes found - correct - Roll
forward
In general -- the more detection and prevention,
the easier the recovery

32
Auditing