secure architecture principles - columbia...
TRANSCRIPT
SecureArchitecturePrinciples
• Isola3onandLeastPrivilege• AccessControlConcepts• Opera3ngSystems• BrowserIsola3onandLeastPrivilege
OriginalslideswerecreatedbyProf.JohnMitchel
SecureArchitecturePrinciples
Isola3onandLeastPrivilege
PrinciplesofSecureDesign• Compartmentaliza3on
– Isola3on– Principleofleastprivilege
• Defenseindepth– Usemorethanonesecuritymechanism– Securetheweakestlink– Failsecurely
• Keepitsimple
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentaliza3onandisola3on
– Separatethesystemintoisolatedcompartments– Limitinterac3onbetweencompartments
• PrincipleofLeastPrivilege– Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
Componentdesign
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentaliza3onandisola3on
– Separatethesystemintoisolatedcompartments– Limitinterac3onbetweencompartments
• PrincipleofLeastPrivilege– Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes
Example:MailAgent• Requirements
– Receiveandsendemailoverexternalnetwork– Placeincomingemailintolocaluserinboxfiles
• Sendmail– Tradi3onalUnix– Monolithicdesign– Historicalsourceofmanyvulnerabili3es
• Qmail– Compartmentalizeddesign
OSBasics(beforeexamples)
• Isola3onbetweenprocesses– EachprocesshasaUID
• TwoprocesseswithsameUIDhavesamepermissions– Aprocessmayaccessfiles,networksockets,….
• PermissiongrantedaccordingtoUID• Rela3ontopreviousterminology
– CompartmentdefinedbyUID– Privilegesdefinedbyac3onsallowedonsystemresources
Qmaildesign• Isola3onbasedonOSisola3on
– Separatemodulesrunasseparate“users”– Eachuseronlyhasaccesstospecificresources
• Leastprivilege– MinimalprivilegesforeachUID– Onlyone“setuid”program
• setuidallowsaprogramtorunasdifferentusers– Onlyone“root”program
• rootprogramhasallprivileges
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
Incoming external mail Incoming internal mail
Isola3onbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmaild user
qmailq
qmails qmailr
qmailr
root
user setuid user
qmailq – user who is allowed to read/write mail queue
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queueReadsincomingmaildirectoriesSplitsmessageintoheader,bodySignalsqmail-send
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queueqmail-sendsignals
• qmail-lspawniflocal• qmail-remoteifremote
Structureofqmail
qmail-smtpd
qmail-local
qmail-lspawn
qmail-send
qmail-inject
qmail-queue
qmail-lspawn• Spawnsqmail-local• qmail-localrunswithIDofuserreceivinglocalmail
Structureofqmail
qmail-smtpd
qmail-local
qmail-lspawn
qmail-send
qmail-inject
qmail-queue
qmail-local• Handlesaliasexpansion• Deliverslocalmail• Callsqmail-queueifneeded
Structureofqmail
qmail-smtpd
qmail-remote
qmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmail-remote• DeliversmessagetoremoteMTA
root
Isola3onbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmaild user
qmailq
qmails qmailr
qmailr user setuid user
qmailq – user who is allowed to read/write mail queue
setuid
root
Leastprivilege
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
root
setuid
Androidprocessisola3on
• Androidapplica3onsandbox– Isola3on:Eachapplica3onrunswithitsownUIDinownVM
• Providesmemoryprotec3on• Communica3onlimitedtousingUnixdomainsockets• Onlyping,zygote(spawnanotherprocess)runasroot
– Interac3on:referencemonitorcheckspermissionsoninter-componentcommunica3on
– LeastPrivilege:Applica3onsannouncespermission• Usergrantsaccessatinstall3me
SecureArchitecturePrinciples
AccessControlConcepts
Accesscontrol• Assump3ons
– Systemknowswhotheuseris• Authen3ca3onvianameandpassword,othercreden3al
– Accessrequestspassthroughgatekeeper(referencemonitor)• Systemmustnotallowmonitortobebypassed
ResourceUserprocess
Referencemonitor
accessrequest
policy
?
Accesscontrolmatrix[Lampson]
File 1 File 2 File 3 … File n
User 1 read write - - read
User 2 write write write - -
User 3 - - - read read
…
User m read write read write read
Subjects
Objects
Implementa3onconcepts• Accesscontrollist(ACL)
– Storecolumnofmatrixwiththeresource
• Capability– Userholdsa“3cket”foreachresource– Twovaria3ons
• storerowofmatrixwithuser,underOScontrol• unforgeable3cketinuserspace
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Accesscontrollistsarewidelyused,ocenwithgroupsSomeaspectsofcapabilityconceptareusedinmanysystems
ACLvsCapabili3es• Accesscontrollist
– Associatelistwitheachobject– Checkuser/groupagainstlist– Reliesonauthen3ca3on:needtoknowuser
• Capabili3es– Capabilityisunforgeable3cket
• Randombitsequence,ormanagedbyOS• Canbepassedfromoneprocesstoanother
– Referencemonitorchecks3cket• Doesnotneedtoknowiden3fyofuser/process
ACLvsCapabili3es
ProcessPUserU
ProcessQUserU
ProcessRUserU
ProcessPCapabiltyc,d,e
ProcessQ
ProcessRCapabiltyc
Capabiltyc,e
ACLvsCapabili3es• Delega3on
– Cap:Processcanpasscapabilityatrun3me– ACL:Trytogetownertoaddpermissiontolist?
• Morecommon:letotherprocessactundercurrentuser• Revoca3on
– ACL:Removeuserorgroupfromlist– Cap:Trytogetcapabilitybackfromprocess?
• Possibleinsomesystemsifappropriatebookkeeping– OSknowswhichdataiscapability– Ifcapabilityisusedformul3pleresources,havetorevokeallornone…
• Indirec3on:capabilitypointstopointertoresource– IfC→P→R,thenrevokecapabilityCbyseengP=0
Roles(akaGroups)• Role=setofusers
– Administrator,PowerUser,User,Guest– Assignpermissionstoroles;eachusergetspermission
• Rolehierarchy– Par3alorderofroles– Eachrolegetspermissionsofrolesbelow
– Listonlynewpermissionsgiventoeachrole
Administrator
Guest
PowerUser
User
Role-BasedAccessControlIndividuals Roles Resources
engineering
marke3ng
humanres
Server1
Server3
Server2
Advantage:userschangemorefrequentlythanroles
Accesscontrolsummary• Accesscontrolinvolvesreferencemonitor
– Checkpermissions:〈userinfo,ac3on〉→yes/no– Important:nowayaroundthischeck
• Accesscontrolmatrix– Accesscontrollistsvscapabili3es– Advantagesanddisadvantagesofeach
• Role-basedaccesscontrol– Usegroupas“userinfo”;usegrouphierarchies
SecureArchitecturePrinciples
Opera3ngSystems
Unixaccesscontrol
• Processhasuserid– Inheritfromcrea3ngprocess– Processcanchangeid
• Restrictedsetofop3ons– Special“root”id
• Allaccessallowed• Filehasaccesscontrollist(ACL)
– Grantspermissiontouserids– Owner,group,other
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Unixfileaccesscontrollist• Eachfilehasownerandgroup• Permissionssetbyowner
– Read,write,execute– Owner,group,other– Representedbyvectoroffouroctalvalues
• Onlyowner,rootcanchangepermissions– Thisprivilegecannotbedelegatedorshared
• Se3dbits–Discussinafewslides
rwx rwxrwx-ownr grp othr
se3d
Ques3on• Ownercanhavefewerprivilegesthanother
– Whathappens?• Ownergetsaccess?• Ownerdoesnot?
Priori3zedresolu3onofdifferencesifuser=ownerthenownerpermissionelseifuseringroupthengrouppermissionelseotherpermission
Processeffec3veuserid(EUID)• EachprocesshasthreeIds(+moreunderLinux)
– RealuserID(RUID)• sameastheuserIDofparent(unlesschanged)• usedtodeterminewhichuserstartedtheprocess
– Effec3veuserID(EUID)• fromsetuserIDbitonthefilebeingexecuted,orsyscall• determinesthepermissionsforprocess
– fileaccessandportbinding– SaveduserID(SUID)
• SopreviousEUIDcanberestored
• RealgroupID,effec3vegroupID,usedsimilarly
ProcessOpera3onsandIDs• Root
– ID=0forsuperuserroot;canaccessanyfile• ForkandExec
– InheritthreeIDs,exceptexecoffilewithsetuidbit• Setuidsystemcall
– seteuid(newid)cansetEUIDto• RealIDorsavedID,regardlessofcurrentEUID• AnyID,ifEUID=0
• Detailsareactuallymorecomplicated– Severaldifferentcalls:setuid,seteuid,setreuid
Se3dbitsonexecutableUnixfile• Threese3dbits
– Setuid–setEUIDofprocesstoIDoffileowner– Setgid–setEGIDofprocesstoGIDoffile– S3cky
• Off:ifuserhaswritepermissionondirectory,canrenameorremovefiles,evenifnotowner
• On:onlyfileowner,directoryowner,androotcanrenameorremovefileinthedirectory
Example
…;…;exec();
RUID25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID25EUID18
RUID25EUID25
-rw-r--r--file
-rw-r--r--file
Owner18
Owner25
read/write
read/write
Owner18
Unixsummary• Goodthings
– Someprotec3onfrommostusers– Flexibleenoughtomakethingspossible
• Mainlimita3on– Tootemp3ngtouserootprivileges– Nowaytoassumesomerootprivilegeswithoutallrootprivileges
Weaknessinisola3on,privileges• Network-facingDaemons
– Rootprocesseswithnetworkportsopentoallremotepar3es,e.g.,sshd,cpd,sendmail,…
• Rootkits– Systemextensionviadynamicallyloadedkernelmodules
• EnvironmentVariables– SystemvariablessuchasLIBPATHthataresharedstateacross
applica3ons.AnaqackercanchangeLIBPATHtoloadanaqacker-providedfileasadynamiclibrary
Weaknessinisola3on,privileges• SharedResources
– Sinceanyprocesscancreatefilesin/tmpdirectory,anuntrustedprocessmaycreatefilesthatareusedbyarbitrarysystemprocesses
• Time-of-Check-to-Time-of-Use(TOCTTOU)– Typically,arootprocessusessystemcalltodetermineifini3a3nguser
haspermissiontoapar3cularfile,e.g./tmp/X.– Aceraccessisauthorizedandbeforethefileopen,usermaychange
thefile/tmp/Xtoasymboliclinktoatargetfile/etc/shadow.
AccesscontrolinWindows• Somebasicfunc3onalitysimilartoUnix
– Specifyaccessforgroupsandusers• Read,modify,changeowner,delete
• Someaddi3onalconcepts– Tokens– Securityaqributes
• Generally – MoreflexiblethanUnix
• Candefinenewpermissions• Cangivesomebutnotalladministratorprivileges
Iden3fysubjectusingSID• SecurityID(SID)
– Iden3ty(replacesUID)• SIDrevisionnumber• 48-bitauthorityvalue• variablenumberofRela3veIden3fiers(RIDs),foruniqueness
– Users,groups,computers,domains,domainmembersallhaveSIDs
Processhassetoftokens• Securitycontext
– Privileges,accounts,andgroupsassociatedwiththeprocessorthread
– Presentedassetoftokens• Impersona3ontoken
– Usedtemporarilytoadoptadifferentsecuritycontext,usuallyofanotheruser
• SecurityReferenceMonitor– Usestokenstoiden3fythesecuritycontextofaprocessorthread
Objecthassecuritydescriptor• Securitydescriptorassociatedwithanobject
– Specifieswhocanperformwhatac3onsontheobject• Severalfields
– Header• Descriptorrevisionnumber• Controlflags,aqributesofthedescriptor
– E.g.,memorylayoutofthedescriptor– SIDoftheobject'sowner– SIDoftheprimarygroupoftheobject– Twoaqachedop3onallists:
• Discre3onaryAccessControlList(DACL)–users,groups,…• SystemAccessControlList(SACL)–systemlogs,..
Exampleaccessrequest
Group1:AdministratorsGroup2:Writers
Controlflags
GroupSIDDACLPointerSACLPointerDenyWritersRead,WriteAllowMarkRead,Write
OwnerSID
RevisionNumber
Accesstoken
Securitydescriptor
Accessrequest:writeAc3on:denied
• User Mark requests write permission • Descriptor denies permission to group • Reference Monitor denies request (DACL for access, SACL for audit and logging)
Priority:ExplicitDenyExplicitAllowInheritedDenyInheritedAllow
User:Mark
Impersona3onTokens(comparetosetuid)
• Processadoptssecurityaqributesofanother– Clientpassesimpersona3ontokentoserver
• Clientspecifiesimpersona3onlevelofserver– Anonymous
• Tokenhasnoinforma3onabouttheclient– Iden3fica3on
• ObtaintheSIDsofclientandclient'sprivileges,butservercannotimpersonatetheclient
– Impersona3on• Impersonatetheclient
– Delega3on• Letsserverimpersonateclientonlocal,remotesystems
Weaknessinisola3on,privileges• SimilarproblemstoUnix
– E.g.,Rootkitsleveragingdynamicallyloadedkernelmodules• WindowsRegistry
– Globalhierarchicaldatabasetostoredataforallprograms– Registryentrycanbeassociatedwithasecuritycontextthatlimitsaccess;commontobeabletowritesensi3veentry
• EnabledByDefault– Historically,manyWindowsdeploymentsalsocamewithfullpermissionsandfunc3onalityenabled
SecureArchitecturePrinciples
BrowserIsola3onandLeastPrivilege
Webbrowser:ananalogy
Opera&ngsystem• Subject:Processes
– HasUserID(UID,SID)– Discre3onaryaccesscontrol
• Objects– File– Network– …
• Vulnerabili3es– Untrustedprograms– Bufferoverflow– …
Webbrowser• Subject:webcontent(JavaScript)
– Has“Origin”– Mandatoryaccesscontrol
• Objects– Documentobjectmodel– Frames– Cookies/localStorage
• Vulnerabili3es– Cross-sitescrip3ng– Implementa3onbugs– …
Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowserimplementa3oniscorrupted,thismechanismbecomesunreliable.
Componentsofsecuritypolicy• Frame-Framerela3onships
– canScript(A,B)• CanFrameAexecuteascriptthatmanipulatesarbitrary/nontrivialDOMelementsofFrameB?
– canNavigate(A,B)• CanFrameAchangetheoriginofcontentforFrameB?
• Frame-principalrela3onships– readCookie(A,S),writeCookie(A,S)
• CanFrameAread/writecookiesfromsiteS?
ChromiumSecurityArchitecture
• Browser("kernel")– Fullprivileges(filesystem,networking)
• Renderingengine– Upto20processes– Sandboxed
• Oneprocessperplugin– Fullprivilegesofbrowser
Chromium
Communica3ngsandboxedcomponents
See:hqp://dev.chromium.org/developers/design-documents/sandbox/
DesignDecisions• Compa3bility
– Sitesrelyontheexis3ngbrowsersecuritypolicy– Browserisonlyasusefulasthesitesitcanrender– Rulesoutmore“cleanslate”approaches
• BlackBox– OnlyrenderermayparseHTML,JavaScript,etc.– Kernelenforcescoarse-grainedsecuritypolicy– Renderertoenforcesfiner-grainedpolicydecisions
• MinimizeUserDecisions
TaskAlloca3on
LeverageOSIsola3on• SandboxbasedonfourOSmechanisms
– Arestrictedtoken– TheWindowsjobobject– TheWindowsdesktopobject– WindowsVistaonly:integritylevels
• Specifically,therenderingengine– adjustssecuritytokenbyconver3ngSIDStoDENY_ONLY,adding
restrictedSID,andcallingAdjustTokenPrivileges– runsinaWindowsJobObject,restric3ngabilitytocreatenew
processes,readorwriteclipboard,..– runsonaseparatedesktop,mi3ga3nglaxsecuritycheckingofsome
WindowsAPIsSee:hqp://dev.chromium.org/developers/design-documents/sandbox/
Evalua3on:CVEcount
• TotalCVEs:
• Arbitrarycodeexecu3onvulnerabili3es:
Summary• Securityprinciples
– Isola3on– PrincipleofLeastPrivilege– Qmailexample
• AccessControlConcepts– Matrix,ACL,Capabili3es
• OSMechanisms– Unix
• Filesystem,Setuid– Windows
• Filesystem,Tokens,EFS• Browsersecurityarchitecture
– Isola3onandleastprivilegeexample