1 chapter 5b modern operating systems security linux and windows (vista) stallings chapters 23,24
TRANSCRIPT
Computer Security: Principles and Practice
First Editionby William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown
Chapter 23 – Chapter 23 – Linux SecurityLinux Security
Linux Security
Linux has evolved into one of the most popular and versatile operating systems
many features mean broad attack surface
can create highly secure Linux systemswill review:
Discretionary Access Controlstypical vulnerabilities and exploits in Linuxbest practices for mitigating those threatsnew improvements to Linux security model
Linux Security Model
Linux’s traditional security model is:people or proceses with “root” privileges
can do anythingother accounts can do much less
hence attacker’s want to get root privileges
can run robust, secure Linux systemscrux of problem is use of
Discretionary Access Controls (DAC)
File System Security
in Linux everything as a filee.g. memory, device-drivers, named pipes,
and other system resourceshence why filesystem security is so
important
I/O to devices is via a “special” filee.g. /dev/cdrom
have other special files like named pipesa conduit between processes / programs
Users and Groups
a user-account (user)represents someone capable of using filesassociated both with humans and
processes
a group-account (group)is a list of user-accountsusers have a main group may also belong to other groups
users & groups are not files
Users and Groups
user's details are kept in /etc/passwordmaestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash
additional group details in /etc/groupconductors:x:100:
pianists:x:102:maestro,volodya
use useradd, usermod, userdel to alter
File Permissions
files have two owners: a user & a groupeach with its own set of permissionswith a third set of permissions for otherpermissions are to read/write/execute in
order user/group/other, cf.-rw-rw-r-- 1 maestro user 35414 Mar 25 01:38 baton.txt
set using chmod command
Directory Permissions
read = list contentswrite = create or delete files in
directoryexecute = use anything in or change
working directory to this directorye.g.
$ chmod g+rx extreme_casseroles$ ls -l extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles
Sticky Bitoriginally used to lock file in memorynow used on directories to limit delete
if set must own file or dir to deleteother users cannot delete even if have write
set using chmod command with +t flag, e.g.chmod +t extreme_casseroles
directory listing includes t or T flagdrwxrwx--T 8 biff drummers 288 Mar 25 01:38 extreme_casseroles
only apply to specific directory not child dirs
SetUID and SetGID
setuid bit means program "runs as" ownerno matter who executes it
setgid bit means run as a member of the group which owns itagain regardless of who executes it
"run as" = "run with same privileges as”are very dangerous if set on file owned by
root or other privileged account or grouponly used on executable files, not shell scripts
SetGID and Directories
setuid has no effect on directoriessetgid does and causes any file
created in a directory to inherit the directory's group
useful if users belong to other groups and routinely create files to be shared with other members of those groupsinstead of manually changing its group
Kernel vs User Space
Kernel spacerefers to memory used by the Linux kernel and
its loadable modules (e.g., device drivers)
User spacerefers to memory used by all other processes
since kernel enforces Linux DAC and security critical to isolate kernel from userso kernel space never swapped to diskonly root may load and unload kernel modules
setuid root Vulnerabilities
a setuid root program runs as rootno matter who executes it
used to provide unprivileged users with access to privileged resources (e.g. change passwd)
must be very carefully programmedif can be exploited due to a software bug
may allow otherwise-unprivileged users to use it to wield unauthorized root privileges
distributions now minimize setuid-root programs
system attackers still scan for them!
Web Vulnerabilities
a very broad category of vulnerabilitiesbecause of ubiquity of world wide web have big
and visible attack surfaces
when written in scripting languagesnot as prone to classic buffer overflowscan suffer from poor input-handling
few “enabled-by-default” web applicationsbut users install vulnerable web applicationsor write custom web applications having
easily-identified and easily-exploited flaws
Rootkits
allow attacker to cover their tracksif successfully installed before detection,
all is very nearly lostoriginally collections of hacked commands
hiding attacker’s files, directories, processes
now use loadable kernel modulesintercepting system calls in kernel-spacehiding attacker from standard commands
may be able to detect with chkrootkitgenerally have to wipe and rebuild system
Linux System Hardening
consider how to mitigate Linux security risks at system and application levels
first look at OS-level security tools and techniques that protect the entire system
OS Installationsecurity begins with O/S installationespecially what software is run
since unused applications liable to be left in default, un-hardened and un-patched state
generally should not run:X Window system, RPC services, R-services, inetd,
SMTP daemons, telnet etc
also have some initial system s/w configuration: setting root password creating a non-root user account setting an overall system security level enabling a simple host-based firewall policy enabling SELinux
Patch Managementinstalled server applications must be:
configured securelykept up to date with security patches
patching can never win “patch rat-race”
have tools to automatically download and install security updatese.g. up2date, YaST, apt-getnote should not run automatic updates on
change-controlled systems without testing
Network Access Controls
network a key attack vector to secureTCP wrappers a key tool to check access
originally tcpd inetd wrapper daemonbefore allowing connection to service checks
if requesting host explicitly in hosts.allow is okif requesting host explicitly in hosts.deny is blockedif not in either is ok
checks on service, source IP, usernamenow often part of app using libwrappers
Network Access Controlsalso have the very powerful netfilter
Linux kernel native firewall mechanismand iptables user-space front end
as useful on firewalls, servers, desktopsdirect config tricky, steep learning curvedo have automated rule generatorstypically for “personnal” firewall use will:
allow incoming requests to specified servicesblock all other inbound service requestsallow all outbound (locally-originating) requests
if need greater security, manually config
Antivirus Softwarehistorically Linux not as vulnerable to virusesmore to lesser popularity than securityprompt patching was effective for wormsbut viruses abuse users privilegesnon-root users have less scope to exploit
but can still consume resources
growing Linux popularity mean exploitshence antivirus software will more important
various commercial and free Linux A/V
User Management
guiding principles in user-account security:need care setting file / directory permissionsuse groups to differentiate between roles use extreme care in granting / using root
privs
commands: chmod, useradd/mod/del, groupadd/mod/del, passwd, chage
info in files /etc/passwd & /etc/groupmanage user’s group membershipsset appropriate password ages
Root Delegationhave "root can to anything, users do little” issue“su” command allows users to run as root
either root shell or single commandmust supply root passwordmeans likely too many people know this
SELinux RBAC can limit root authority, complex“sudo” allows users to run as root
but only need their password, not root password/etc/sudoers file specifies what commands allowed
or configure user/group perms to allow, tricky
Loggingeffective logging a key resourceLinux logs using syslogd or Syslog-NG
receive log data from a variety of sourcessorts by facility (category) and severitywrites log messages to local/remote log files
Syslog-NG preferable because it has:variety of log-data sources / destinationsmuch more flexible “rules engine” to
configurecan log via TCP which can be encrypted
should check and customized defaults
Log Management
balance number of log files usedsize of few to finding info in many
manage size of log filesmust rotate log files and delete old copiestypically use logrotate utility run by cronto manage both system and application
logs
must also configure application logging
Application Security
this is a large topicmany security features are
implemented in similar ways across different applications
will review issues such as:running as unprivileged user/grouprunning in chroot jailmodularityencryptionlogging
Running As Unprivileged User/Group
every process “runs as” some userextremely important this user is not root
since any bug can compromise entire system
may need root privileges, e.g. bind porthave root parent perform privileged functionbut main service from unprivileged child
user/group used should be dedicatedeasier to identify source of log messages
Running in chroot Jail
chroot confines a process to a subset of /maps a virtual “/” to some other directoryuseful if have a daemon that should only
access a portion of the file system, e.g. FTPdirectories outside the chroot jail aren’t
visible or reachable at all
contains effects of compromised daemoncomplex to configure and troubleshoot
must mirror portions of system in chroot jail
Modularity
applications running as a single, large, multipurpose process can be:more difficult to run as an unprivileged userharder to locate / fix security bugs in source harder to disable unnecessary functionality
hence modularity a highly prized featureproviding a much smaller attack surface
cf. postfix vs sendmail, Apache modules
Encryption
sending logins & passwords or application data over networks in clear text exposes them to network eavesdropping attacks
hence many network applications now support encryption to protect such dataoften using OpenSSL library
may need own X.509 certificates to usecan generate/sign using openssl commandmay use commercial/own/free CA
Logging
applications can usually be configured to log to any level of detail (debug to none)
need appropriate settingmust decide if use dedicated file or
system logging facility (e.g. syslog)central facility useful for consistent use
must ensure any log files are rotated
Mandatory Access Controls
Linux uses a DAC security modelbut Mandatory Access Controls (MAC)
impose a global security policy on all usersusers may not set controls weaker than policynormal admin done with accounts without
authority to change the global security policybut MAC systems have been hard to manage
Novell’s SuSE Linux has AppArmorRedHat Enterprise Linux has SELinuxpure SELinux for high-sensitivity, high-
security
SELinuxis NSA's powerful implementation of
mandatory access controls for LinuxLinux DACs still applies, but if it allows the
action SELinux then evaluates it against its own security policies
"subjects" are processes (run user cmds)actions are "permissions”objects not just files & dirsto manage complexity SELinux has:
"that which is not expressly permitted, is denied”
groups of subjects, permissions, and objects
Security Contextseach individual subject & object in SELinux is
governed by a security context being a:user - individual user (human or daemon)
SELinux maintains its own list of users user labels on subjects specify account's privileges user labels on objects specify its owner
role - like a group, assumed by users a user may only assume one role at a time, may only switch roles if and when authorized to do so
domain (type) - a sandbox being a combination of subjects and objects that may interact with each other
this model is called Type Enforcement (TE)
Decision Making in SELinux
two types of decisions: access decisions
when subjects do things to objects that already exist, or create new things in expected domain
transition decisionsinvocation of processes in different domains than
the one in which the subject-process is runningcreation of objects in different types (domains)
than their parent directoriestransitions must be authorized by SELinux policy
RBAC and MLS Controls
have Role Based Access Control (RBAC)rules specify roles a user may assumeother rules specify circumstances when a user
may transition from one role to another
and Multi Level Security (MLS)concerns handling of classified data
“no read up, no write down”
MLS is enforced via file system labeling
SELinux Policy Management
creating and maintaining SELinux policies is complicated and time-consuming
a single SELinux policy may consist of hundreds of lines of text
RHEL has a default “targeted” policydefines types for selected network appsallows everything else to use DAC controls
have a range of SELinux commandssee additional references for details
Novell AppArmorNovell’s MAC for SuSE Linux
enforced at kernel levelusing Linux Security Modules
restricts behavior of selected applications in a very granular but targeted wayhence a compromised root application's
access will be containedhas no controls addressing data
classificationhence only a partial MAC implementation
non-protected apps just use Linux DAC
Summary
reviewed Linux security model and DAC
vulnerabilitiesO/S and application hardeningMAC, SELinux and AppArmor
Computer Security: Principles and Practice
First Editionby William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown
Chapter 24 – Chapter 24 – Windows and Windows Windows and Windows Vista SecurityVista Security
Windows and Windows Vista Security
Windows is the world’s most popular O/Sadvantage is that security enhancements
can protect millions of nontechnical userschallenge is that vulnerabilities in Windows
can also affect millions of userswill review overall security architecture of
Windows 2000 and later (but not Win9X)then security defenses built into Windows
Windows Security ArchitectureSecurity Reference Monitor (SRM)
a kernel-mode component that performs access checks, generates audit log entries, and manipulates user rights (privileges)
Local Security Authority (LSA)responsible for enforcing local security
policy
Security Account Manager (SAM)a database that stores user accounts and
local users and groups security informationlocal logins perform lookup against SAM DBpasswords are stored using MD4
Windows Security ArchitectureActive Directory (AD)
Microsoft’s LDAP directoryall Windows clients can use AD to perform
security operations including account logonauthenticate using AD when the user logs
on using a domain rather than local accountuser’s credential information is sent
securely across the network to be verified by AD
WinLogon (local) and NetLogon (net) handle login requests
Local vs Domain Accountsa networked Windows computer can be: domain joined
can login with either domain or local accountsif local may not access domain resourcescentrally managed and much more secure
in a workgroupa collection of computers connected togetheronly local accounts in SAM can be usedno infrastructure to support AD domain
Windows Login Exampledomain admin adds user’s account info (name,
account, password, groups, privileges)account is represented by a Security ID (SID)
unique to each account within a domainof form: S-1–5–21-AAA-BBB-CCC-RRR
username in one of two forms:SAM format: DOMAIN\UsernameUser Principal Name (UPN):
login using username & password or smartcardissued with token (SID, groups, privileges)
assigned to every process run by user
Windows Privileges
are systemwide permissions assigned to user accountse.g. backup computer, or change system
time
some are deemed “dangerous” such as:act as part of operating system privilegedebug programs privilegebackup files and directories privilege
others are deemed “benign” such asbypass traverse checking privilege
Access Control Lists
two forms of access control list (ACL):Discretionary ACL (DACL)
grants or denies access to protected resources such as files, shared memory, named pipes etc
System ACL (ACL)used for auditing and in Windows Vista to
enforce mandatory integrity policy
Access Control Lists
objects needing protection are assigned a DACL (and possible SACL) that includesSID of the object ownerlist of access control entries (ACEs)
each ACE includes a SID & access maskaccess mask could include ability to:
read, write, create, delete, modify, etc
access masks are object-type specifice.g. service abilities are create, enumerate
Security Descriptor (SD)
data structure with object owner, DACL, & SACLe.g.Owner: CORP\Blake ACE[0]: Allow CORP\Paige Full Control ACE[1]: Allow Administrators Full Control ACE[2]: Allow CORP\Cheryl Read, Write and Delete
have no implied access, if there is no ACE for requesting user, then access is denied
applications must request correct type of accessif just request “all access” when need less (e.g. read)
some user’s who should have access will be denied
More SD’s & Access Checkseach ACE in the DACL determines accessan ACE can be an allow or a deny ACEWindows evaluates each ACE in the ACL
until access is granted or explicitly denied so deny ACEs come before allow ACEs
default if set using GUIexplicitly order if create programmatically
when user attempts to access a protected object, the O/S performs an access checkcomparing user/group info with ACE’s in ACL
Impersonation
process can have multiple threadscommon for both clients and servers
impersonation allows a server to serve a user, using their access privilegese.g. ImpersonateNamedPipeClient function
sets user’s token on the current threadthen access checks for that thread are
performed against this token not server’swith user’s access rights
Mandatory Access Control
have Integrity Control in Windows Vistathat limits operations changing an object’s stateobjects and principals are labeled (using SID) as:
Low integrity (S-1-16-4096)Medium integrity (S-1-16-8192)High integrity (S-1-16-12288) System integrity (S-1-16-16384)
when write operation occurs first check subject’s integrity level dominates object’s integrity level
much of O/S marked medium or higher integrity
Windows Vulnerabilities
Windows, like all O/S’s, has security bugsand bugs have been exploited by attackers to
compromise customer operating systems
Microsoft now uses process improvement called the Security Development Lifecyclenet effect approx 50% reduction in bugs
Windows Vista used SDL start to finishIIS v6 (in Windows Server 2003) had only 3
vulnerabilities in 4 years, none critical
Windows Security Defensesattackers are now criminals rather
than young, anarchic miscreants, and are highly motivated by money
have categories of security defenses:account defenses network defenses buffer overrun defenses. browser defenses
Windows System Hardening process of shoring up defenses, reducing
exposed functionality, disabling features known as attack surface reduction use 80/20 rule on features not always achievable e.g. requiring RPC authentication in XP SP2 e.g. strip mobile code support on servers
servers easier to harden:1. are used for very specific and controlled purposes2. perceive server users are administrators with
better computer configuration skills than typical users
Account Defensesuser accounts can have privileged SIDsleast privilege dictates that users operate
with just enough privilege for tasksWindows XP users in local Administrators
for application compatibility reasonscan use “Secondary Logon” to run appsalso restricted tokens reduce per-thread privilege
Windows Vista reverses default with UACusers prompted to perform a privileged operationunless admin on Server
Low Privilege Service AccountsWindows services are long-lived processes
started after bootingmany ran with elevated privilegesbut many do not need elevated requirements
Windows XP added Local Service and Network service accountsallow a service local or network accessotherwise operate at much lower privilege level
Windows XP SP2 split RPC service (RPCSS) in two (RPCSS and DCOM Server Process)example of least privilege in action, see also
IIS6
Stripping Privileges
another defense is to strip privileges from an account soon after an application startse.g. Index server process runs as system
to access all disk volumesbut then sheds any unneeded privileges
as soon as possibleusing AdjustTokenPrivileges
Windows Vista can define privileges required by a serviceusing ChangeServiceConfig2
Network Defensesneed more than user defensesvulnerable to attack via network servicehave IPSec and IPv6 with authenticated
network packets enabled by default in Windows VistaIPv4 also enabled by default, expect less use
have built-in software firewallblock inbound connections on specific ports
Vista can allow local net access onlyoptionally block outbound connections (Vista)default was off (XP) but now default on (Vista)
Buffer Overrun Defenses
many compromises exploit buffer overrunsWindows Vista has “Stack-Based Buffer
Overrun Detection (/GS)” default enabledsource code compiled with special /GS optiondoes not affect every function; only those with
at least 4-bytes of contiguous stack data and that takes a pointer or buffer as an argument
defends against “classic stack smash”
Buffer Overrun Defenses
No eXecuteNamed (NX) / Data Execution Prevention (DEP) / eXecution Disable (XD)prevent code executing in data segmentsas commonly used by buffer overrun exploitsapplications linked with /NXCOMPAT option
Stack Randomization (Vista only)randomizes thread stack base addresses
Heap-based buffer overrun defenses:add and check random value on each heap
blockheap integrity checkingheap randomization (Vista only)
Other DefensesImage Randomization
O/S boots in one of 256 configurationsmakes O/S less predictable for attackers
Service Restart Policyservices can be configured to restart if
failgreat for reliability but lousy for securityVista sets some critical services so can
only restart twice, then manual restart needed
gives attacker only two attempts
Browser Defenses
web browser is a key point of attackvia script code, graphics, helper objects
Microsoft added many defenses to IE7ActiveX opt-in
unloads ActiveX controls by defaultwhen any then first run prompts user to confirm
protected modeIE runs at low integrity level (see earlier)so more difficult for malware to manipulate O/S
Cryptographic Services
low-level crypto for encryption, hashing, signing
Encrypting File System (EFS)allows files / directories to be encrypted /
decrypted transparently for authorized usersgenerates random key, protected by DPAPI
Data Protection API (DPAPI)manages encryption key maintenance protectionkeys derived in part from user’s password
BitLocker Drive Encryptionencrypts an entire volume with AESkey either on USB or TPM chip