SecureArchitecturePrinciples

•  Isola3onandLeastPrivilege•  AccessControlConcepts•  Opera3ngSystems•  BrowserIsola3onandLeastPrivilege

OriginalslideswerecreatedbyProf.JohnMitchel

SecureArchitecturePrinciples

Isola3onandLeastPrivilege

PrinciplesofSecureDesign•  Compartmentaliza3on

–  Isola3on–  Principleofleastprivilege

•  Defenseindepth–  Usemorethanonesecuritymechanism–  Securetheweakestlink–  Failsecurely

•  Keepitsimple

PrincipleofLeastPrivilege•  What’saprivilege?

–  Abilitytoaccessormodifyaresource•  Assumecompartmentaliza3onandisola3on

–  Separatethesystemintoisolatedcompartments–  Limitinterac3onbetweencompartments

•  PrincipleofLeastPrivilege–  Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes

Monolithicdesign

System

Network

Userinput

Filesystem

Network

Userdevice

Filesystem

Monolithicdesign

System

Network

Userinput

Filesystem

Network

Userdevice

Filesystem

Monolithicdesign

System

Network

Userinput

Filesystem

Network

Userdisplay

Filesystem

Componentdesign

Network

Userinput

Filesystem

Network

Userdisplay

Filesystem

Componentdesign

Network

Userinput

Filesystem

Network

Userdevice

Filesystem

Componentdesign

Network

Userinput

Filesystem

Network

Userdevice

Filesystem

PrincipleofLeastPrivilege•  What’saprivilege?

–  Abilitytoaccessormodifyaresource•  Assumecompartmentaliza3onandisola3on

–  Separatethesystemintoisolatedcompartments–  Limitinterac3onbetweencompartments

•  PrincipleofLeastPrivilege–  Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes

Example:MailAgent•  Requirements

–  Receiveandsendemailoverexternalnetwork–  Placeincomingemailintolocaluserinboxfiles

•  Sendmail–  Tradi3onalUnix– Monolithicdesign–  Historicalsourceofmanyvulnerabili3es

•  Qmail–  Compartmentalizeddesign

OSBasics(beforeexamples)

•  Isola3onbetweenprocesses–  EachprocesshasaUID

•  TwoprocesseswithsameUIDhavesamepermissions–  Aprocessmayaccessfiles,networksockets,….

•  PermissiongrantedaccordingtoUID•  Rela3ontopreviousterminology

–  CompartmentdefinedbyUID–  Privilegesdefinedbyac3onsallowedonsystemresources

Qmaildesign•  Isola3onbasedonOSisola3on

–  Separatemodulesrunasseparate“users”–  Eachuseronlyhasaccesstospecificresources

•  Leastprivilege– MinimalprivilegesforeachUID–  Onlyone“setuid”program

•  setuidallowsaprogramtorunasdifferentusers–  Onlyone“root”program

•  rootprogramhasallprivileges

Structureofqmail

qmail-smtpd

qmail-localqmail-remote

qmail-lspawnqmail-rspawn

qmail-send

qmail-inject

qmail-queue

Incoming external mail Incoming internal mail

Isola3onbyUnixUIDs

qmail-smtpd

qmail-localqmail-remote

qmail-lspawnqmail-rspawn

qmail-send

qmail-inject

qmail-queue

qmaild user

qmailq

qmails qmailr

qmailr

root

user setuid user

qmailq – user who is allowed to read/write mail queue

Structureofqmail

qmail-smtpd

qmail-localqmail-remote

qmail-lspawnqmail-rspawn

qmail-send

qmail-inject

qmail-queueReadsincomingmaildirectoriesSplitsmessageintoheader,bodySignalsqmail-send

Structureofqmail

qmail-smtpd

qmail-localqmail-remote

qmail-lspawnqmail-rspawn

qmail-send

qmail-inject

qmail-queueqmail-sendsignals

•  qmail-lspawniflocal•  qmail-remoteifremote

Structureofqmail

qmail-smtpd

qmail-local

qmail-lspawn

qmail-send

qmail-inject

qmail-queue

qmail-lspawn•  Spawnsqmail-local•  qmail-localrunswithIDofuserreceivinglocalmail

Structureofqmail

qmail-smtpd

qmail-local

qmail-lspawn

qmail-send

qmail-inject

qmail-queue

qmail-local•  Handlesaliasexpansion•  Deliverslocalmail•  Callsqmail-queueifneeded

Structureofqmail

qmail-smtpd

qmail-remote

qmail-rspawn

qmail-send

qmail-inject

qmail-queue

qmail-remote•  DeliversmessagetoremoteMTA

root

Isola3onbyUnixUIDs

qmail-smtpd

qmail-localqmail-remote

qmail-lspawnqmail-rspawn

qmail-send

qmail-inject

qmail-queue

qmaild user

qmailq

qmails qmailr

qmailr user setuid user

qmailq – user who is allowed to read/write mail queue

setuid

root

Leastprivilege

qmail-smtpd

qmail-localqmail-remote

qmail-lspawnqmail-rspawn

qmail-send

qmail-inject

qmail-queue

root

setuid

Androidprocessisola3on

•  Androidapplica3onsandbox–  Isola3on:Eachapplica3onrunswithitsownUIDinownVM

•  Providesmemoryprotec3on•  Communica3onlimitedtousingUnixdomainsockets•  Onlyping,zygote(spawnanotherprocess)runasroot

–  Interac3on:referencemonitorcheckspermissionsoninter-componentcommunica3on

–  LeastPrivilege:Applica3onsannouncespermission•  Usergrantsaccessatinstall3me

SecureArchitecturePrinciples

AccessControlConcepts

Accesscontrol•  Assump3ons

–  Systemknowswhotheuseris•  Authen3ca3onvianameandpassword,othercreden3al

–  Accessrequestspassthroughgatekeeper(referencemonitor)•  Systemmustnotallowmonitortobebypassed

ResourceUserprocess

Referencemonitor

accessrequest

policy

?

Accesscontrolmatrix[Lampson]

File 1 File 2 File 3 … File n

User 1 read write - - read

User 2 write write write - -

User 3 - - - read read

…

User m read write read write read

Subjects

Objects

Implementa3onconcepts•  Accesscontrollist(ACL)

–  Storecolumnofmatrixwiththeresource

•  Capability–  Userholdsa“3cket”foreachresource–  Twovaria3ons

•  storerowofmatrixwithuser,underOScontrol•  unforgeable3cketinuserspace

File 1 File 2 …

User 1 read write -

User 2 write write -

User 3 - - read

…

User m Read write write

Accesscontrollistsarewidelyused,ocenwithgroupsSomeaspectsofcapabilityconceptareusedinmanysystems

ACLvsCapabili3es•  Accesscontrollist

–  Associatelistwitheachobject–  Checkuser/groupagainstlist–  Reliesonauthen3ca3on:needtoknowuser

•  Capabili3es–  Capabilityisunforgeable3cket

•  Randombitsequence,ormanagedbyOS•  Canbepassedfromoneprocesstoanother

–  Referencemonitorchecks3cket•  Doesnotneedtoknowiden3fyofuser/process

ACLvsCapabili3es

ProcessPUserU

ProcessQUserU

ProcessRUserU

ProcessPCapabiltyc,d,e

ProcessQ

ProcessRCapabiltyc

Capabiltyc,e

ACLvsCapabili3es•  Delega3on

–  Cap:Processcanpasscapabilityatrun3me–  ACL:Trytogetownertoaddpermissiontolist?

•  Morecommon:letotherprocessactundercurrentuser•  Revoca3on

–  ACL:Removeuserorgroupfromlist–  Cap:Trytogetcapabilitybackfromprocess?

•  Possibleinsomesystemsifappropriatebookkeeping–  OSknowswhichdataiscapability–  Ifcapabilityisusedformul3pleresources,havetorevokeallornone…

•  Indirec3on:capabilitypointstopointertoresource–  IfC→P→R,thenrevokecapabilityCbyseengP=0

Roles(akaGroups)•  Role=setofusers

–  Administrator,PowerUser,User,Guest–  Assignpermissionstoroles;eachusergetspermission

•  Rolehierarchy–  Par3alorderofroles–  Eachrolegetspermissionsofrolesbelow

–  Listonlynewpermissionsgiventoeachrole

Administrator

Guest

PowerUser

User

Role-BasedAccessControlIndividuals Roles Resources

engineering

marke3ng

humanres

Server1

Server3

Server2

Advantage:userschangemorefrequentlythanroles

Accesscontrolsummary•  Accesscontrolinvolvesreferencemonitor

–  Checkpermissions:〈userinfo,ac3on〉→yes/no–  Important:nowayaroundthischeck

•  Accesscontrolmatrix–  Accesscontrollistsvscapabili3es–  Advantagesanddisadvantagesofeach

•  Role-basedaccesscontrol–  Usegroupas“userinfo”;usegrouphierarchies

SecureArchitecturePrinciples

Opera3ngSystems

Unixaccesscontrol

•  Processhasuserid–  Inheritfromcrea3ngprocess–  Processcanchangeid

•  Restrictedsetofop3ons–  Special“root”id

•  Allaccessallowed•  Filehasaccesscontrollist(ACL)

–  Grantspermissiontouserids–  Owner,group,other

File 1 File 2 …

User 1 read write -

User 2 write write -

User 3 - - read

…

User m Read write write

Unixfileaccesscontrollist•  Eachfilehasownerandgroup•  Permissionssetbyowner

–  Read,write,execute–  Owner,group,other–  Representedbyvectoroffouroctalvalues

•  Onlyowner,rootcanchangepermissions–  Thisprivilegecannotbedelegatedorshared

•  Se3dbits–Discussinafewslides

rwx rwxrwx-ownr grp othr

se3d

Ques3on•  Ownercanhavefewerprivilegesthanother

–  Whathappens?•  Ownergetsaccess?•  Ownerdoesnot?

Priori3zedresolu3onofdifferencesifuser=ownerthenownerpermissionelseifuseringroupthengrouppermissionelseotherpermission

Processeffec3veuserid(EUID)•  EachprocesshasthreeIds(+moreunderLinux)

–  RealuserID(RUID)•  sameastheuserIDofparent(unlesschanged)•  usedtodeterminewhichuserstartedtheprocess

–  Effec3veuserID(EUID)•  fromsetuserIDbitonthefilebeingexecuted,orsyscall•  determinesthepermissionsforprocess

–  fileaccessandportbinding–  SaveduserID(SUID)

•  SopreviousEUIDcanberestored

•  RealgroupID,effec3vegroupID,usedsimilarly

ProcessOpera3onsandIDs•  Root

–  ID=0forsuperuserroot;canaccessanyfile•  ForkandExec

–  InheritthreeIDs,exceptexecoffilewithsetuidbit•  Setuidsystemcall

–  seteuid(newid)cansetEUIDto•  RealIDorsavedID,regardlessofcurrentEUID•  AnyID,ifEUID=0

•  Detailsareactuallymorecomplicated–  Severaldifferentcalls:setuid,seteuid,setreuid

Se3dbitsonexecutableUnixfile•  Threese3dbits

–  Setuid–setEUIDofprocesstoIDoffileowner–  Setgid–setEGIDofprocesstoGIDoffile–  S3cky

•  Off:ifuserhaswritepermissionondirectory,canrenameorremovefiles,evenifnotowner

•  On:onlyfileowner,directoryowner,androotcanrenameorremovefileinthedirectory

Example

…;…;exec();

RUID25 SetUID

program

…;…;i=getruid()setuid(i);…;…;

RUID25EUID18

RUID25EUID25

-rw-r--r--file

-rw-r--r--file

Owner18

Owner25

read/write

read/write

Owner18

Unixsummary•  Goodthings

–  Someprotec3onfrommostusers–  Flexibleenoughtomakethingspossible

•  Mainlimita3on–  Tootemp3ngtouserootprivileges–  Nowaytoassumesomerootprivilegeswithoutallrootprivileges

Weaknessinisola3on,privileges•  Network-facingDaemons

–  Rootprocesseswithnetworkportsopentoallremotepar3es,e.g.,sshd,cpd,sendmail,…

•  Rootkits–  Systemextensionviadynamicallyloadedkernelmodules

•  EnvironmentVariables–  SystemvariablessuchasLIBPATHthataresharedstateacross

applica3ons.AnaqackercanchangeLIBPATHtoloadanaqacker-providedfileasadynamiclibrary

Weaknessinisola3on,privileges•  SharedResources

–  Sinceanyprocesscancreatefilesin/tmpdirectory,anuntrustedprocessmaycreatefilesthatareusedbyarbitrarysystemprocesses

•  Time-of-Check-to-Time-of-Use(TOCTTOU)–  Typically,arootprocessusessystemcalltodetermineifini3a3nguser

haspermissiontoapar3cularfile,e.g./tmp/X.–  Aceraccessisauthorizedandbeforethefileopen,usermaychange

thefile/tmp/Xtoasymboliclinktoatargetfile/etc/shadow.

AccesscontrolinWindows•  Somebasicfunc3onalitysimilartoUnix

–  Specifyaccessforgroupsandusers•  Read,modify,changeowner,delete

•  Someaddi3onalconcepts–  Tokens–  Securityaqributes

•  Generally – MoreflexiblethanUnix

•  Candefinenewpermissions•  Cangivesomebutnotalladministratorprivileges

Iden3fysubjectusingSID•  SecurityID(SID)

–  Iden3ty(replacesUID)•  SIDrevisionnumber•  48-bitauthorityvalue•  variablenumberofRela3veIden3fiers(RIDs),foruniqueness

–  Users,groups,computers,domains,domainmembersallhaveSIDs

Processhassetoftokens•  Securitycontext

–  Privileges,accounts,andgroupsassociatedwiththeprocessorthread

–  Presentedassetoftokens•  Impersona3ontoken

–  Usedtemporarilytoadoptadifferentsecuritycontext,usuallyofanotheruser

•  SecurityReferenceMonitor–  Usestokenstoiden3fythesecuritycontextofaprocessorthread

Objecthassecuritydescriptor•  Securitydescriptorassociatedwithanobject

–  Specifieswhocanperformwhatac3onsontheobject•  Severalfields

–  Header•  Descriptorrevisionnumber•  Controlflags,aqributesofthedescriptor

–  E.g.,memorylayoutofthedescriptor–  SIDoftheobject'sowner–  SIDoftheprimarygroupoftheobject–  Twoaqachedop3onallists:

•  Discre3onaryAccessControlList(DACL)–users,groups,…•  SystemAccessControlList(SACL)–systemlogs,..

Exampleaccessrequest

Group1:AdministratorsGroup2:Writers

Controlflags

GroupSIDDACLPointerSACLPointerDenyWritersRead,WriteAllowMarkRead,Write

OwnerSID

RevisionNumber

Accesstoken

Securitydescriptor

Accessrequest:writeAc3on:denied

•  User Mark requests write permission •  Descriptor denies permission to group •  Reference Monitor denies request (DACL for access, SACL for audit and logging)

Priority:ExplicitDenyExplicitAllowInheritedDenyInheritedAllow

User:Mark

Impersona3onTokens(comparetosetuid)

•  Processadoptssecurityaqributesofanother–  Clientpassesimpersona3ontokentoserver

•  Clientspecifiesimpersona3onlevelofserver–  Anonymous

•  Tokenhasnoinforma3onabouttheclient–  Iden3fica3on

•  ObtaintheSIDsofclientandclient'sprivileges,butservercannotimpersonatetheclient

–  Impersona3on•  Impersonatetheclient

–  Delega3on•  Letsserverimpersonateclientonlocal,remotesystems

Weaknessinisola3on,privileges•  SimilarproblemstoUnix

–  E.g.,Rootkitsleveragingdynamicallyloadedkernelmodules•  WindowsRegistry

–  Globalhierarchicaldatabasetostoredataforallprograms–  Registryentrycanbeassociatedwithasecuritycontextthatlimitsaccess;commontobeabletowritesensi3veentry

•  EnabledByDefault–  Historically,manyWindowsdeploymentsalsocamewithfullpermissionsandfunc3onalityenabled

SecureArchitecturePrinciples

BrowserIsola3onandLeastPrivilege

Webbrowser:ananalogy

Opera&ngsystem•  Subject:Processes

–  HasUserID(UID,SID)–  Discre3onaryaccesscontrol

•  Objects–  File–  Network–  …

•  Vulnerabili3es–  Untrustedprograms–  Bufferoverflow–  …

Webbrowser•  Subject:webcontent(JavaScript)

–  Has“Origin”–  Mandatoryaccesscontrol

•  Objects–  Documentobjectmodel–  Frames–  Cookies/localStorage

•  Vulnerabili3es–  Cross-sitescrip3ng–  Implementa3onbugs–  …

Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowserimplementa3oniscorrupted,thismechanismbecomesunreliable.

Componentsofsecuritypolicy•  Frame-Framerela3onships

–  canScript(A,B)•  CanFrameAexecuteascriptthatmanipulatesarbitrary/nontrivialDOMelementsofFrameB?

–  canNavigate(A,B)•  CanFrameAchangetheoriginofcontentforFrameB?

•  Frame-principalrela3onships–  readCookie(A,S),writeCookie(A,S)

•  CanFrameAread/writecookiesfromsiteS?

ChromiumSecurityArchitecture

•  Browser("kernel")–  Fullprivileges(filesystem,networking)

•  Renderingengine–  Upto20processes–  Sandboxed

•  Oneprocessperplugin–  Fullprivilegesofbrowser

Chromium

Communica3ngsandboxedcomponents

See:hqp://dev.chromium.org/developers/design-documents/sandbox/

DesignDecisions•  Compa3bility

–  Sitesrelyontheexis3ngbrowsersecuritypolicy–  Browserisonlyasusefulasthesitesitcanrender–  Rulesoutmore“cleanslate”approaches

•  BlackBox–  OnlyrenderermayparseHTML,JavaScript,etc.–  Kernelenforcescoarse-grainedsecuritypolicy–  Renderertoenforcesfiner-grainedpolicydecisions

•  MinimizeUserDecisions

TaskAlloca3on

LeverageOSIsola3on•  SandboxbasedonfourOSmechanisms

–  Arestrictedtoken–  TheWindowsjobobject–  TheWindowsdesktopobject–  WindowsVistaonly:integritylevels

•  Specifically,therenderingengine–  adjustssecuritytokenbyconver3ngSIDStoDENY_ONLY,adding

restrictedSID,andcallingAdjustTokenPrivileges–  runsinaWindowsJobObject,restric3ngabilitytocreatenew

processes,readorwriteclipboard,..–  runsonaseparatedesktop,mi3ga3nglaxsecuritycheckingofsome

WindowsAPIsSee:hqp://dev.chromium.org/developers/design-documents/sandbox/

Evalua3on:CVEcount

•  TotalCVEs:

•  Arbitrarycodeexecu3onvulnerabili3es:

Summary•  Securityprinciples

–  Isola3on–  PrincipleofLeastPrivilege–  Qmailexample

•  AccessControlConcepts–  Matrix,ACL,Capabili3es

•  OSMechanisms–  Unix

•  Filesystem,Setuid–  Windows

•  Filesystem,Tokens,EFS•  Browsersecurityarchitecture

–  Isola3onandleastprivilegeexample