1

Chapter 5b

Modern Operating Systems Security

Linux and Windows (Vista)

Stallings chapters 23,24

Computer Security: Principles and Practice

First Editionby William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown

Chapter 23 – Chapter 23 – Linux SecurityLinux Security

Linux Security

Linux has evolved into one of the most popular and versatile operating systems

many features mean broad attack surface

can create highly secure Linux systemswill review:

Discretionary Access Controlstypical vulnerabilities and exploits in Linuxbest practices for mitigating those threatsnew improvements to Linux security model

Linux Security Model

Linux’s traditional security model is:people or proceses with “root” privileges

can do anythingother accounts can do much less

hence attacker’s want to get root privileges

can run robust, secure Linux systemscrux of problem is use of

Discretionary Access Controls (DAC)

Linux Security Transactions

File System Security

in Linux everything as a filee.g. memory, device-drivers, named pipes,

and other system resourceshence why filesystem security is so

important

I/O to devices is via a “special” filee.g. /dev/cdrom

have other special files like named pipesa conduit between processes / programs

Users and Groups

a user-account (user)represents someone capable of using filesassociated both with humans and

processes

a group-account (group)is a list of user-accountsusers have a main group may also belong to other groups

users & groups are not files

Users and Groups

user's details are kept in /etc/passwordmaestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash

additional group details in /etc/groupconductors:x:100:

pianists:x:102:maestro,volodya

use useradd, usermod, userdel to alter

File Permissions

files have two owners: a user & a groupeach with its own set of permissionswith a third set of permissions for otherpermissions are to read/write/execute in

order user/group/other, cf.-rw-rw-r-- 1 maestro user 35414 Mar 25 01:38 baton.txt

set using chmod command

Directory Permissions

read = list contentswrite = create or delete files in

directoryexecute = use anything in or change

working directory to this directorye.g.

$ chmod g+rx extreme_casseroles$ ls -l extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles

Sticky Bitoriginally used to lock file in memorynow used on directories to limit delete

if set must own file or dir to deleteother users cannot delete even if have write

set using chmod command with +t flag, e.g.chmod +t extreme_casseroles

directory listing includes t or T flagdrwxrwx--T 8 biff drummers 288 Mar 25 01:38 extreme_casseroles

only apply to specific directory not child dirs

SetUID and SetGID

setuid bit means program "runs as" ownerno matter who executes it

setgid bit means run as a member of the group which owns itagain regardless of who executes it

"run as" = "run with same privileges as”are very dangerous if set on file owned by

root or other privileged account or grouponly used on executable files, not shell scripts

SetGID and Directories

setuid has no effect on directoriessetgid does and causes any file

created in a directory to inherit the directory's group

useful if users belong to other groups and routinely create files to be shared with other members of those groupsinstead of manually changing its group

Numeric File Permissions

Kernel vs User Space

Kernel spacerefers to memory used by the Linux kernel and

its loadable modules (e.g., device drivers)

User spacerefers to memory used by all other processes

since kernel enforces Linux DAC and security critical to isolate kernel from userso kernel space never swapped to diskonly root may load and unload kernel modules

setuid root Vulnerabilities

a setuid root program runs as rootno matter who executes it

used to provide unprivileged users with access to privileged resources (e.g. change passwd)

must be very carefully programmedif can be exploited due to a software bug

may allow otherwise-unprivileged users to use it to wield unauthorized root privileges

distributions now minimize setuid-root programs

system attackers still scan for them!

Web Vulnerabilities

a very broad category of vulnerabilitiesbecause of ubiquity of world wide web have big

and visible attack surfaces

when written in scripting languagesnot as prone to classic buffer overflowscan suffer from poor input-handling

few “enabled-by-default” web applicationsbut users install vulnerable web applicationsor write custom web applications having

easily-identified and easily-exploited flaws

Rootkits

allow attacker to cover their tracksif successfully installed before detection,

all is very nearly lostoriginally collections of hacked commands

hiding attacker’s files, directories, processes

now use loadable kernel modulesintercepting system calls in kernel-spacehiding attacker from standard commands

may be able to detect with chkrootkitgenerally have to wipe and rebuild system

Linux System Hardening

consider how to mitigate Linux security risks at system and application levels

first look at OS-level security tools and techniques that protect the entire system

OS Installationsecurity begins with O/S installationespecially what software is run

since unused applications liable to be left in default, un-hardened and un-patched state

generally should not run:X Window system, RPC services, R-services, inetd,

SMTP daemons, telnet etc

also have some initial system s/w configuration: setting root password creating a non-root user account setting an overall system security level enabling a simple host-based firewall policy enabling SELinux

Patch Managementinstalled server applications must be:

configured securelykept up to date with security patches

patching can never win “patch rat-race”

have tools to automatically download and install security updatese.g. up2date, YaST, apt-getnote should not run automatic updates on

change-controlled systems without testing

Network Access Controls

network a key attack vector to secureTCP wrappers a key tool to check access

originally tcpd inetd wrapper daemonbefore allowing connection to service checks

if requesting host explicitly in hosts.allow is okif requesting host explicitly in hosts.deny is blockedif not in either is ok

checks on service, source IP, usernamenow often part of app using libwrappers

Network Access Controlsalso have the very powerful netfilter

Linux kernel native firewall mechanismand iptables user-space front end

as useful on firewalls, servers, desktopsdirect config tricky, steep learning curvedo have automated rule generatorstypically for “personnal” firewall use will:

allow incoming requests to specified servicesblock all other inbound service requestsallow all outbound (locally-originating) requests

if need greater security, manually config

Antivirus Softwarehistorically Linux not as vulnerable to virusesmore to lesser popularity than securityprompt patching was effective for wormsbut viruses abuse users privilegesnon-root users have less scope to exploit

but can still consume resources

growing Linux popularity mean exploitshence antivirus software will more important

various commercial and free Linux A/V

User Management

guiding principles in user-account security:need care setting file / directory permissionsuse groups to differentiate between roles use extreme care in granting / using root

privs

commands: chmod, useradd/mod/del, groupadd/mod/del, passwd, chage

info in files /etc/passwd & /etc/groupmanage user’s group membershipsset appropriate password ages

Root Delegationhave "root can to anything, users do little” issue“su” command allows users to run as root

either root shell or single commandmust supply root passwordmeans likely too many people know this

SELinux RBAC can limit root authority, complex“sudo” allows users to run as root

but only need their password, not root password/etc/sudoers file specifies what commands allowed

or configure user/group perms to allow, tricky

Loggingeffective logging a key resourceLinux logs using syslogd or Syslog-NG

receive log data from a variety of sourcessorts by facility (category) and severitywrites log messages to local/remote log files

Syslog-NG preferable because it has:variety of log-data sources / destinationsmuch more flexible “rules engine” to

configurecan log via TCP which can be encrypted

should check and customized defaults

Log Management

balance number of log files usedsize of few to finding info in many

manage size of log filesmust rotate log files and delete old copiestypically use logrotate utility run by cronto manage both system and application

logs

must also configure application logging

Application Security

this is a large topicmany security features are

implemented in similar ways across different applications

will review issues such as:running as unprivileged user/grouprunning in chroot jailmodularityencryptionlogging

Running As Unprivileged User/Group

every process “runs as” some userextremely important this user is not root

since any bug can compromise entire system

may need root privileges, e.g. bind porthave root parent perform privileged functionbut main service from unprivileged child

user/group used should be dedicatedeasier to identify source of log messages

Running in chroot Jail

chroot confines a process to a subset of /maps a virtual “/” to some other directoryuseful if have a daemon that should only

access a portion of the file system, e.g. FTPdirectories outside the chroot jail aren’t

visible or reachable at all

contains effects of compromised daemoncomplex to configure and troubleshoot

must mirror portions of system in chroot jail

Modularity

applications running as a single, large, multipurpose process can be:more difficult to run as an unprivileged userharder to locate / fix security bugs in source harder to disable unnecessary functionality

hence modularity a highly prized featureproviding a much smaller attack surface

cf. postfix vs sendmail, Apache modules

Encryption

sending logins & passwords or application data over networks in clear text exposes them to network eavesdropping attacks

hence many network applications now support encryption to protect such dataoften using OpenSSL library

may need own X.509 certificates to usecan generate/sign using openssl commandmay use commercial/own/free CA

Logging

applications can usually be configured to log to any level of detail (debug to none)

need appropriate settingmust decide if use dedicated file or

system logging facility (e.g. syslog)central facility useful for consistent use

must ensure any log files are rotated

Mandatory Access Controls

Linux uses a DAC security modelbut Mandatory Access Controls (MAC)

impose a global security policy on all usersusers may not set controls weaker than policynormal admin done with accounts without

authority to change the global security policybut MAC systems have been hard to manage

Novell’s SuSE Linux has AppArmorRedHat Enterprise Linux has SELinuxpure SELinux for high-sensitivity, high-

security

SELinuxis NSA's powerful implementation of

mandatory access controls for LinuxLinux DACs still applies, but if it allows the

action SELinux then evaluates it against its own security policies

"subjects" are processes (run user cmds)actions are "permissions”objects not just files & dirsto manage complexity SELinux has:

"that which is not expressly permitted, is denied”

groups of subjects, permissions, and objects

Security Contextseach individual subject & object in SELinux is

governed by a security context being a:user - individual user (human or daemon)

SELinux maintains its own list of users user labels on subjects specify account's privileges user labels on objects specify its owner

role - like a group, assumed by users a user may only assume one role at a time, may only switch roles if and when authorized to do so

domain (type) - a sandbox being a combination of subjects and objects that may interact with each other

this model is called Type Enforcement (TE)

Decision Making in SELinux

two types of decisions: access decisions

when subjects do things to objects that already exist, or create new things in expected domain

transition decisionsinvocation of processes in different domains than

the one in which the subject-process is runningcreation of objects in different types (domains)

than their parent directoriestransitions must be authorized by SELinux policy

RBAC and MLS Controls

have Role Based Access Control (RBAC)rules specify roles a user may assumeother rules specify circumstances when a user

may transition from one role to another

and Multi Level Security (MLS)concerns handling of classified data

“no read up, no write down”

MLS is enforced via file system labeling

SELinux Policy Management

creating and maintaining SELinux policies is complicated and time-consuming

a single SELinux policy may consist of hundreds of lines of text

RHEL has a default “targeted” policydefines types for selected network appsallows everything else to use DAC controls

have a range of SELinux commandssee additional references for details

Novell AppArmorNovell’s MAC for SuSE Linux

enforced at kernel levelusing Linux Security Modules

restricts behavior of selected applications in a very granular but targeted wayhence a compromised root application's

access will be containedhas no controls addressing data

classificationhence only a partial MAC implementation

non-protected apps just use Linux DAC

Summary

reviewed Linux security model and DAC

vulnerabilitiesO/S and application hardeningMAC, SELinux and AppArmor

Computer Security: Principles and Practice

First Editionby William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown

Chapter 24 – Chapter 24 – Windows and Windows Windows and Windows Vista SecurityVista Security

Windows and Windows Vista Security

Windows is the world’s most popular O/Sadvantage is that security enhancements

can protect millions of nontechnical userschallenge is that vulnerabilities in Windows

can also affect millions of userswill review overall security architecture of

Windows 2000 and later (but not Win9X)then security defenses built into Windows

Windows Security ArchitectureSecurity Reference Monitor (SRM)

a kernel-mode component that performs access checks, generates audit log entries, and manipulates user rights (privileges)

Local Security Authority (LSA)responsible for enforcing local security

policy

Security Account Manager (SAM)a database that stores user accounts and

local users and groups security informationlocal logins perform lookup against SAM DBpasswords are stored using MD4

Windows Security ArchitectureActive Directory (AD)

Microsoft’s LDAP directoryall Windows clients can use AD to perform

security operations including account logonauthenticate using AD when the user logs

on using a domain rather than local accountuser’s credential information is sent

securely across the network to be verified by AD

WinLogon (local) and NetLogon (net) handle login requests

Local vs Domain Accountsa networked Windows computer can be: domain joined

can login with either domain or local accountsif local may not access domain resourcescentrally managed and much more secure

in a workgroupa collection of computers connected togetheronly local accounts in SAM can be usedno infrastructure to support AD domain

Windows Login Exampledomain admin adds user’s account info (name,

account, password, groups, privileges)account is represented by a Security ID (SID)

unique to each account within a domainof form: S-1–5–21-AAA-BBB-CCC-RRR

username in one of two forms:SAM format: DOMAIN\UsernameUser Principal Name (UPN):

username@domain.company.com

login using username & password or smartcardissued with token (SID, groups, privileges)

assigned to every process run by user

Windows Privileges

are systemwide permissions assigned to user accountse.g. backup computer, or change system

time

some are deemed “dangerous” such as:act as part of operating system privilegedebug programs privilegebackup files and directories privilege

others are deemed “benign” such asbypass traverse checking privilege

Access Control Lists

two forms of access control list (ACL):Discretionary ACL (DACL)

grants or denies access to protected resources such as files, shared memory, named pipes etc

System ACL (ACL)used for auditing and in Windows Vista to

enforce mandatory integrity policy

Access Control Lists

objects needing protection are assigned a DACL (and possible SACL) that includesSID of the object ownerlist of access control entries (ACEs)

each ACE includes a SID & access maskaccess mask could include ability to:

read, write, create, delete, modify, etc

access masks are object-type specifice.g. service abilities are create, enumerate

Security Descriptor (SD)

data structure with object owner, DACL, & SACLe.g.Owner: CORP\Blake ACE[0]: Allow CORP\Paige Full Control ACE[1]: Allow Administrators Full Control ACE[2]: Allow CORP\Cheryl Read, Write and Delete

have no implied access, if there is no ACE for requesting user, then access is denied

applications must request correct type of accessif just request “all access” when need less (e.g. read)

some user’s who should have access will be denied

More SD’s & Access Checkseach ACE in the DACL determines accessan ACE can be an allow or a deny ACEWindows evaluates each ACE in the ACL

until access is granted or explicitly denied so deny ACEs come before allow ACEs

default if set using GUIexplicitly order if create programmatically

when user attempts to access a protected object, the O/S performs an access checkcomparing user/group info with ACE’s in ACL

Impersonation

process can have multiple threadscommon for both clients and servers

impersonation allows a server to serve a user, using their access privilegese.g. ImpersonateNamedPipeClient function

sets user’s token on the current threadthen access checks for that thread are

performed against this token not server’swith user’s access rights

Mandatory Access Control

have Integrity Control in Windows Vistathat limits operations changing an object’s stateobjects and principals are labeled (using SID) as:

Low integrity (S-1-16-4096)Medium integrity (S-1-16-8192)High integrity (S-1-16-12288) System integrity (S-1-16-16384)

when write operation occurs first check subject’s integrity level dominates object’s integrity level

much of O/S marked medium or higher integrity

Vista User Account

Windows Vulnerabilities

Windows, like all O/S’s, has security bugsand bugs have been exploited by attackers to

compromise customer operating systems

Microsoft now uses process improvement called the Security Development Lifecyclenet effect approx 50% reduction in bugs

Windows Vista used SDL start to finishIIS v6 (in Windows Server 2003) had only 3

vulnerabilities in 4 years, none critical

Windows Security Defensesattackers are now criminals rather

than young, anarchic miscreants, and are highly motivated by money

have categories of security defenses:account defenses network defenses buffer overrun defenses. browser defenses

Windows System Hardening process of shoring up defenses, reducing

exposed functionality, disabling features known as attack surface reduction use 80/20 rule on features not always achievable e.g. requiring RPC authentication in XP SP2 e.g. strip mobile code support on servers

servers easier to harden:1. are used for very specific and controlled purposes2. perceive server users are administrators with

better computer configuration skills than typical users

Account Defensesuser accounts can have privileged SIDsleast privilege dictates that users operate

with just enough privilege for tasksWindows XP users in local Administrators

for application compatibility reasonscan use “Secondary Logon” to run appsalso restricted tokens reduce per-thread privilege

Windows Vista reverses default with UACusers prompted to perform a privileged operationunless admin on Server

Low Privilege Service AccountsWindows services are long-lived processes

started after bootingmany ran with elevated privilegesbut many do not need elevated requirements

Windows XP added Local Service and Network service accountsallow a service local or network accessotherwise operate at much lower privilege level

Windows XP SP2 split RPC service (RPCSS) in two (RPCSS and DCOM Server Process)example of least privilege in action, see also

IIS6

Stripping Privileges

another defense is to strip privileges from an account soon after an application startse.g. Index server process runs as system

to access all disk volumesbut then sheds any unneeded privileges

as soon as possibleusing AdjustTokenPrivileges

Windows Vista can define privileges required by a serviceusing ChangeServiceConfig2

Network Defensesneed more than user defensesvulnerable to attack via network servicehave IPSec and IPv6 with authenticated

network packets enabled by default in Windows VistaIPv4 also enabled by default, expect less use

have built-in software firewallblock inbound connections on specific ports

Vista can allow local net access onlyoptionally block outbound connections (Vista)default was off (XP) but now default on (Vista)

Buffer Overrun Defenses

many compromises exploit buffer overrunsWindows Vista has “Stack-Based Buffer

Overrun Detection (/GS)” default enabledsource code compiled with special /GS optiondoes not affect every function; only those with

at least 4-bytes of contiguous stack data and that takes a pointer or buffer as an argument

defends against “classic stack smash”

Windows Stack and /GS flag

Buffer Overrun Defenses

No eXecuteNamed (NX) / Data Execution Prevention (DEP) / eXecution Disable (XD)prevent code executing in data segmentsas commonly used by buffer overrun exploitsapplications linked with /NXCOMPAT option

Stack Randomization (Vista only)randomizes thread stack base addresses

Heap-based buffer overrun defenses:add and check random value on each heap

blockheap integrity checkingheap randomization (Vista only)

Other DefensesImage Randomization

O/S boots in one of 256 configurationsmakes O/S less predictable for attackers

Service Restart Policyservices can be configured to restart if

failgreat for reliability but lousy for securityVista sets some critical services so can

only restart twice, then manual restart needed

gives attacker only two attempts

Browser Defenses

web browser is a key point of attackvia script code, graphics, helper objects

Microsoft added many defenses to IE7ActiveX opt-in

unloads ActiveX controls by defaultwhen any then first run prompts user to confirm

protected modeIE runs at low integrity level (see earlier)so more difficult for malware to manipulate O/S

Cryptographic Services

low-level crypto for encryption, hashing, signing

Encrypting File System (EFS)allows files / directories to be encrypted /

decrypted transparently for authorized usersgenerates random key, protected by DPAPI

Data Protection API (DPAPI)manages encryption key maintenance protectionkeys derived in part from user’s password

BitLocker Drive Encryptionencrypts an entire volume with AESkey either on USB or TPM chip

Summary

Windows security architecturevulnerabilitiessecurity defenses

account, network, buffer, browser

crypto services