introduction to information security lecture 2 · 2014-02-23 · introduction to information...
TRANSCRIPT
![Page 1: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/1.jpg)
Avishai Wool, lecture 2 - 1
Introduction to Information Security
Lecture 2
Advanced Control Hijacking
Secure Architecture Principles
![Page 2: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/2.jpg)
Control Hijacking
Run-time
Defenses
Avishai Wool, lecture 2 - 2
![Page 3: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/3.jpg)
Run time checking: StackGuard• Many run-time checking techniques …
– we only discuss methods relevant to overflow protection
• Solution 1: StackGuard
– Run time tests for stack integrity.
– Embed “canaries” in stack frames and verify their integrity
prior to function return.
topof
stack
Frame 1Frame 2
local canary sfp ret args local canary sfp ret args
Avishai Wool, lecture 2 - 3
![Page 4: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/4.jpg)
Canary Types
• Random canary:
– Random string chosen at program startup.
– Insert canary string into every stack frame.
– Verify canary before returning from function.
• Exit program if canary changed. Turns potential exploit into DoS.
– To corrupt, attacker must learn current random string.
• Terminator canary: Canary = {0, newline, linefeed, EOF}
– String functions will not copy beyond terminator.
– Attacker cannot use string functions to corrupt stack.
Avishai Wool, lecture 2 - 4
![Page 5: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/5.jpg)
StackGuard (Cont.)
• StackGuard implemented as a GCC patch.
– Program must be recompiled.
• Minimal performance effects: 8% for Apache.
• Note: Canaries don’t provide full proof
protection.
– Some stack smashing attacks leave canaries unchanged
Avishai Wool, lecture 2 - 5
![Page 6: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/6.jpg)
StackGuard enhancements: ProPolice
• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrange stack layout to prevent ptr overflow.
args
ret addr
SFP
CANARY
local string buffers
local non-buffer variables
Stack
Growth pointers, but no arrays
String
Growth
copy of pointer args
Protects pointer args and
local pointers from a
buffer overflow
Avishai Wool, lecture 2 - 6
![Page 7: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/7.jpg)
MS Visual Studio /GS [since 2003]
Compiler /GS option:
– Combination of ProPolice and Random canary.
– If cookie mismatch, default behavior is to call _exit(3)
Function prolog:
sub esp, 8 // allocate 8 bytes for cookie
mov eax, DWORD PTR ___security_cookie
xor eax, esp // xor cookie with current esp
mov DWORD PTR [esp+8], eax // save in stack
Function epilog:
mov ecx, DWORD PTR [esp+8]
xor ecx, esp
call @__security_check_cookie@4
add esp, 8
Enhanced /GS in Visual Studio 2010:
– /GS protection added to all functions, unless can be proven unnecessary
Avishai Wool, lecture 2 - 7
![Page 8: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/8.jpg)
/GS stack frame
args
ret addr
SFP
CANARY
local string buffers
local non-buffer variables
Stack
Growth pointers, but no arrays
String
Growth
copy of pointer args
exception handlers
Canary protects ret-
addr and exception
handler frame
Avishai Wool, lecture 2 - 8
![Page 9: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/9.jpg)
Control Hijacking
Heap Spray
Attacks
Avishai Wool, lecture 2 - 9
![Page 10: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/10.jpg)
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
• Suppose vtable is on the heap next to a string object:
ptr
data
Object T
FP1
FP2
FP3
vtable
method #1
method #2
method #3
ptrbuf[256]
dat
a
object T
vtable
![Page 11: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/11.jpg)
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
• After overflow of buf we have:
ptr
data
Object T
FP1
FP2
FP3
vtable
method #1
method #2
method #3
ptrbuf[256]
dat
a
object T
vtable
shell
code
![Page 12: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/12.jpg)
A reliable exploit?
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...");
overflow-string = unescape(“%u2332%u4276%...”);
cause-overflow( overflow-string ); // overflow buf[ ]
</SCRIPT>
Problem: attacker does not know where browser
places shellcode on the heap
ptrbuf[256]
dat
a
shellcodevtable
???
![Page 13: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/13.jpg)
Heap Spraying [SkyLined 2004]
Idea: 1. use Javascript to spray heap
with shellcode (and NOP slides)
2. then point vtable ptr anywhere in spray area
heap
vtable
NOP slide shellcode
heap spray area
![Page 14: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/14.jpg)
Javascript heap spraying
var nop = unescape(“%u9090%u9090”)
while (nop.length < 0x100000) nop += nop
var shellcode = unescape("%u4343%u4343%...");
var x = new Array ()
for (i=0; i<1000; i++) {
x[i] = nop + shellcode;
}
• Pointing func-ptr almost anywhere in heap will cause shellcode to execute.
Avishai Wool, lecture 2 - 14
![Page 15: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/15.jpg)
Vulnerable buffer placement
• Placing vulnerable buf[256] next to object O:
– By sequence of Javascript allocations and freesmake heap look as follows:
– Allocate vuln. buffer in Javascript and cause overflow
– Successfully used against a Safari PCRE overflow [DHM’08]
object O
free blocks
heap
![Page 16: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/16.jpg)
Many heap spray exploits
• Improvements: Heap Feng Shui [S’07]
– Reliable heap exploits on IE without spraying
– Gives attacker full control of IE heap from Javascript
[RLZ’08]
![Page 17: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/17.jpg)
(partial) Defenses
• Protect heap function pointers (e.g. PointGuard)
• Better browser architecture:
– Store JavaScript strings in a separate heap from browser heap
• OpenBSD heap overflow protection:
• Nozzle [RLZ’08] : detect sprays by prevalence of code on heap
non-writable pages
prevents
cross-page
overflows
Avishai Wool, lecture 2 - 17
![Page 18: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/18.jpg)
Secure Architecture
Principles
Isolation and
Least Privilege
Avishai Wool, lecture 2 - 18
![Page 19: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/19.jpg)
Basic idea: Isolation
A Seaman's Pocket-Book, 1943 (public domain)
Avishai Wool, lecture 2 - 19
![Page 20: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/20.jpg)
Principles of Secure Design
• Compartmentalization
– Isolation
– Principle of least privilege
• Defense in depth
– Use more than one security mechanism
– Secure the weakest link
– Fail securely
• Keep it simple
Avishai Wool, lecture 2 - 20
![Page 21: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/21.jpg)
Principle of Least Privilege
• Privilege
– Ability to access or modify a resource
• Principle of Least Privilege
– A system module should only have the minimal
privileges needed for intended purposes
• Requires compartmentalization and isolation
– Separate the system into independent modules
– Limit interaction between modules
Avishai Wool, lecture 2 - 21
![Page 22: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/22.jpg)
Example: Android process isolation
• Android application sandbox
– Isolation: Each application runs with its own UID in
own VM
• Provides memory protection
• Communication protected using Unix domain sockets
• Only ping, zygote (spawn another process) run as root
– Interaction: reference monitor checks permissions
on inter-component communication
– Least Privilege: Applications announces permission
• Whitelist model – user grants access
– Questions asked at install time, to reduce user interruption
Avishai Wool, lecture 2 - 22
![Page 23: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/23.jpg)
Secure Architecture
Principles
Access Control
Concepts
Avishai Wool, lecture 2 - 23
![Page 24: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/24.jpg)
Access control
• Assumptions– System knows who the user is
• Authentication via name and password, other credential
– Access requests pass through gatekeeper (reference monitor)
• System must not allow monitor to be bypassed
ResourceUser
process
Referencemonitor
access request
policy
?
Avishai Wool, lecture 2 - 24
![Page 25: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/25.jpg)
Access control matrix [Lampson]
File 1 File 2 File 3 … File n
User 1 read write - - read
User 2 write write write - -
User 3 - - - read read
…
User m read write read write read
Subjects
Objects
Avishai Wool, lecture 2 - 25
![Page 26: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/26.jpg)
Two implementation concepts
• Access control list (ACL)– Store column of matrix
with the resource• Capability
– User holds a “ticket” for each resource
– Two variations• store row of matrix with user, under OS
control• unforgeable ticket in user space
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Access control lists are widely used, often with groups
Some aspects of capability concept are used in many systemsAvishai Wool, lecture 2 - 26
![Page 27: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/27.jpg)
ACL vs Capabilities
• Access control list
– Associate list with each object
– Check user/group against list
– Relies on authentication: need to know user
• Capabilities
– Capability is unforgeable ticket
• Random bit sequence, or managed by OS
• Can be passed from one process to another
– Reference monitor checks ticket
• Does not need to know identify of user/processAvishai Wool, lecture 2 - 27
![Page 28: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/28.jpg)
ACL vs Capabilities
Process P
User U
Process Q
User U
Process R
User U
Process P
Capabilty c,d,e
Process Q
Process R
Capabilty c
Capabilty c,e
Avishai Wool, lecture 2 - 28
![Page 29: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/29.jpg)
ACL vs Capabilities
• Delegation– Cap: Process can pass capability at run time– ACL: Try to get owner to add permission to list?
• More common: let other process act under current user
• Revocation– ACL: Remove user or group from list– Cap: Try to get capability back from process?
• Possible in some systems if appropriate bookkeeping– OS knows which data is capability– If capability is used for multiple resources, have to revoke all
or none …
• Indirection: capability points to pointer to resource– If C P R, then revoke capability C by setting P=0
Avishai Wool, lecture 2 - 29
![Page 30: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/30.jpg)
Roles (also called Groups)
• Role = set of users
– Administrator, PowerUser, User, Guest
– Assign permissions to roles; each user gets permission
• Role hierarchy
– Partial order of roles
– Each role gets
permissions of roles below
– List only new permissions
given to each role
Administrator
Guest
PowerUser
User
Avishai Wool, lecture 2 - 30
![Page 31: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/31.jpg)
Role-Based Access Control
Individuals Roles Resources
engineering
marketing
human res
Server 1
Server 3
Server 2
Advantage: users change more frequently than rolesAvishai Wool, lecture 2 - 31
![Page 32: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/32.jpg)
Secure ArchitecturePrinciples
Operating Systems
Avishai Wool, lecture 2 - 32
![Page 33: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/33.jpg)
Unix access control
• File has access control list (ACL)
– Grants permission to user ids
– Owner, group, other
• Process has user id
– Inherit from creating process
– Process can change id
• Restricted set of options
– Special “root” id
• Bypass access control restrictions
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Avishai Wool, lecture 2 - 33
![Page 34: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/34.jpg)
Unix file access control list• Each file has owner and group
• Permissions set by owner
– Read, write, execute
– Owner, group, other
– Represented by vector of
four octal values0755 (rwxr-xr-x) public directory or executable0644 (rw-r--r--) public file0600 (rw-------) private file
• Only owner, root can change permissions
– This privilege cannot be delegated or shared
• Setid bits – Discuss in a few slides
rwx rwxrwx-
ownr grp othr
setid
Avishai Wool, lecture 2 - 34
![Page 35: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/35.jpg)
Question
• Owner can have fewer privileges than other
– What happens?
• Owner gets access?
• Owner does not?
Prioritized resolution of differencesif user = owner then owner permission
else if user in group then group permissionelse other permission
Avishai Wool, lecture 2 - 35
![Page 36: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/36.jpg)
Process effective user id (EUID)
• Each process has three Ids (+ more under Linux)– Real user ID (RUID)
• same as the user ID of parent (unless changed)• used to determine which user started the process
– Effective user ID (EUID)
• from set user ID bit on the file being executed, or sys call
• determines the permissions for process– file access and port binding
– Saved user ID (SUID)
• So previous EUID can be restored
• Real group ID, effective group ID, used similarly Avishai Wool, lecture 2 - 36
![Page 37: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/37.jpg)
Process Operations and IDs
• Root– ID=0 for superuser root; can access any file
• Fork and Exec– Inherit three IDs, except exec of file with setuid bit
• Setuid system calls – seteuid(newid) can set EUID to
• Real ID or saved ID, regardless of current EUID
• Any ID, if EUID=0
• Details are actually more complicated– Several different calls: setuid, seteuid, setreuid
Avishai Wool, lecture 2 - 37
![Page 38: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/38.jpg)
Setid bits on executable Unix file
• Three setid bits
– Setuid – set EUID of process to ID of file owner
– Setgid – set EGID of process to GID of file
– Sticky
• Off: if user has write permission on directory, can rename or remove files, even if not owner
• On: only file owner, directory owner, and root can rename or remove file in the directory
Avishai Wool, lecture 2 - 38
![Page 39: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/39.jpg)
Example
…;…;exec( );
RUID 25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID 25EUID 18
RUID 25EUID 25
-rw-r--r--
file
-rw-r--r--
file
Owner 18
Owner 25
read/write
read/write
Owner 18
Avishai Wool, lecture 2 - 39
![Page 40: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/40.jpg)
Setuid programming
• Be Careful with Setuid 0 !
– Root can do anything; don’t get tricked
– Principle of least privilege – change EUID when root privileges no longer needed
Avishai Wool, lecture 2 - 40
![Page 41: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/41.jpg)
Access control in Windows (since NTFS)
• Some basic functionality similar to Unix
– Specify access for groups and users• Read, modify, change owner, delete
• Some additional concepts
– Tokens
– Security attributes
• Generally
– More flexibility than Unix
• Can define new permissions
• Can give some but not all administrator privileges
Avishai Wool, lecture 2 - 41
![Page 42: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/42.jpg)
Identify subject using SID
• Security ID (SID)
– Identity (replaces UID)
• SID revision number
• 48-bit authority value
• variable number of Relative Identifiers (RIDs), for uniqueness
– Users, groups, computers, domains, domain members all have SIDs
![Page 43: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/43.jpg)
Process has set of tokens
• Security context
– Privileges, accounts, and groups associated with the process or thread
– Presented as set of tokens
• Security Reference Monitor
– Uses tokens to identify the security context of a process or thread
• Impersonation token
– Used temporarily to adopt a different security context, usually of another user
Avishai Wool, lecture 2 - 43
![Page 44: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/44.jpg)
Object has security descriptor
• Security descriptor associated with an object– Specifies who can perform what actions on the object
• Several fields– Header
• Descriptor revision number • Control flags, attributes of the descriptor
– E.g., memory layout of the descriptor
– SID of the object's owner– SID of the primary group of the object – Two attached optional lists:
• Discretionary Access Control List (DACL) – users, groups, …
• System Access Control List (SACL) – system logs, .. Avishai Wool, lecture 2 - 44
![Page 45: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/45.jpg)
Example access request
Group1: AdministratorsGroup2: Writers
Control flags
Group SIDDACL PointerSACL Pointer
DenyWritersRead, WriteAllowMarkRead, Write
Owner SID
Revision Number
Access token
Security descriptor
Access request: writeAction: denied
• User Mark requests write permission
• Descriptor denies permission to
group
• Reference Monitor denies request
User: Mark
Order of ACEs in ACL matters!
Windows reads ACL until
permission is granted/Denied
ACE1
ACE2
Avishai Wool, lecture 2 - 45
![Page 46: Introduction to Information Security Lecture 2 · 2014-02-23 · Introduction to Information Security Lecture 2 ... –Separate the system into independent modules –Limit interaction](https://reader033.vdocuments.net/reader033/viewer/2022042606/5f73fe02507402092d1156e6/html5/thumbnails/46.jpg)
Impersonation Tokens (compare to
setuid)
• Process adopts security attributes of another
– Client passes impersonation token to server
• Client specifies impersonation level of server
– Anonymous
• Token has no information about the client
– Identification
• server obtain the SIDs of client and client's privileges, but server cannot impersonate the client
– Impersonation
• server identify and impersonate the client
– Delegation
• lets server impersonate client on local, remote systems