670 likes | 879 Vues
Chapter 4 Operating System Security. Sue Fitzgerald Metropolitan State University CS 328 Computer Security Fall 2008. Overview. Hardware Operating systems and processes Authentication Principle of Least Privilege Attacks - vulnerabilities and exploits Key loggers and rootkits
E N D
Chapter 4 Operating System Security Sue Fitzgerald Metropolitan State University CS 328 Computer Security Fall 2008
Overview • Hardware • Operating systems and processes • Authentication • Principle of Least Privilege • Attacks - vulnerabilities and exploits • Key loggers and rootkits • Prevention and recovery
Hardware • Computers are binary machines • Voltage level output by an electronic device (high/low) • Magnetic device polarity (positive/negative) • One binary digit (true/false) is called a bit • A collection of 8 bits is a byte • A collection of bits can be used to represent a binary number
Memory • The memory of a computer is composed of many bytes (megabytes or gigabytes) • Each byte or collection of bytes holds a binary number • Data is encoded and stored as binary numbers • Computer instructions are encoded and stored as binary numbers
Memory (continued) • Each byte of memory has a unique address • The address is also represented as a binary number • Components of the computer are linked by wires • Data, instructions and addresses are sent across the wires as high/low voltage levels (bits)
Architecture • See figure 4.1, p. 62 • The CPU processes or executes instructions such as add, compare, jump • The CPU requests the next instruction or a piece of data from the memory • The memory returns that piece of information • The CPU sends a piece of data to the memory • The memory stores that piece of data
CPU • The central processing unit controls the order in which instructions are executed • The CPU executes instructions • The CPU has registers (very fast memory) for keeping track of a small amount of very important information • The Program Counter (PC) is a register that holds the memory address of the next instruction to be fetched and executed
Fetch-Execute Cycle • The CPU takes the address of the next instruction (held in the PC) and places it on the address bus • The CPU sends a signal via the control bus, asking to read that information • The memory returns that piece of information • The CPU decodes and executes that instruction • The CPU updates the PC
Modern Architecture • Instructions are pipelined • One or more instructions are pre-fetched before the previous instruction is finished • Instructions are broken into stages • Several instructions can be executing at the same time, but in different stages • Instructions and data are cached
Operating System • An operating system manages the resources of the computer (CPU, memory, I/O devices, disk, network access, etc.) • Hides details of device management from users • Permits multi-processing – many programs (processes) executing ‘at once’ • Protects each process from interference from another process
CPU Modes • CPU runs in one of two modes • Kernel or privileged mode (Ring 0) • User or unprivileged mode (Ring 3) • Some instructions can only be executed when the CPU is in privileged mode • Operating systems run in privileged mode • Everything else runs in user mode
Privileged vs. Unprivileged Mode • For the protection of the OS, unprivileged code cannot freely change modes • The only way to go from unprivileged mode to privileged (kernel) mode is via an interrupt • An interrupt from external hardware (I/O, clock) • A runtime exception (divide by zero, illegal memory access • A trap instruction (software interrupt)
Interrupt Handling • When an interrupt occurs, the CPU • Suspends the execution of the running (user) process • Changes to privileged (kernel) mode • Looks in an operating system data structure, called an interrupt vector, to see where to go next • Starts running the operating system code at the address given in the interrupt vector
Memory Management • Must protect user processes from interfering with one another (reading/writing memory) • Must protect operating system kernel from user processes (reading/writing memory) • Solution: virtual addressing • To each process (running program), the memory of the computer appears to belong only to that process; it thinks it has the whole memory in one long contiguous piece
Virtual Memory • This is called the virtual address space • Instead, physical memory is broken up into chunks (pages or frames) • The physical memory is shared among all the processes • The user process’s memory may not be physically contiguous • Parts of the user process’s memory may be temporarily stored on disk
Virtual Memory (continued) • The memory management unit (MMU) is hardware that translates the virtual address to a physical address • The operating system sets up and controls this mapping • See Figure 4.2, p. 65 • The operating system moves missing pages of memory from disk to memory as needed
MMU • The MMU may mark certain parts of memory as ‘read-only’ • Attempts by user processes to write to that memory will cause a runtime exception • The MMU may prevent user processes from even reading some parts of memory which are used by the kernel for data and buffers
MMU (continued) • MMU tables are initialized for each user process such that the kernel’s memory is located in the same place every time for every process • When the user process traps to the kernel, the kernel can see the user data and does not need to change the MMU tables for itself
Process • A process is a running program • It is one of the fundamental units controlled by the operating system • Processes should be self-contained for security
System Calls • A user process requests an operating system service via a system call or syscall • System calls are available via a library of functions • The system call identifies what service is needed. • Additional information is provided via parameters/arguments • The system call issues a trap instruction (software interrupt)
System Calls (continued) • The system saves the user process’s state (program counter, variables, etc.) • Hardware switches to kernel (privileged) mode • OS runs the system call trap handler function • The trap handler looks up the requested service and retrieves an address for that service • Control passes to the service • See Figure 4.4, p. 67
Context Switching • Changing from running one process to another is called a ‘context switch’ • It is a relatively slow thing to do • When the service is done, the CPU drops back into user mode and control passes back to the calling (user) process • The operating systems keeps track of all processes (running, waiting, blocked for I/O)
User Interfaces • Two types of user interface (UI) • Command line (shell) • Graphical user interface (GUI) • Technically, the UI is not part of the OS
OS Security • Process isolation • Use memory management to make sure one process cannot read or write to the memory of another • Processes communicate via standard mechanisms • Interprocess communication (IPC) • Pipes, message passing, shared memory, shared files
IPC • IPC opens the door to leaks • Examples • Shared memory does not occupy an entire page but the operating system maps an entire page to both processes • A sends a message to B but B terminates before the message arrives. C starts and is assigned the same process number as B. The message is delivered to C.
IPC (continued • More examples of leaks • Object reuse • Memory pages/frames • Kernel heap regions • Temporal variations • What shared code is cached or in memory
Authentication • Authentication – verifying someone is who they say they are • Authorization – given the user has authenticated, to what resources are they permitted access and what sort of access are they permitted? • Users – people or processes
Users • Users have accounts • Users are authenticated via login/password • Special accounts are set up for groups of users (e.g., guest, games) • Some users need special privileges • Special accounts (root, superuser, admin) • Specific users are granted admin privileges
Principle of Least Privilege • Assign fewest privileges necessary to get the job done • Operate at lowest level of privilege • Always operating at highest level of privilege can lead to lots of damage if errors are made • What mode do you run in?
Filesystem Access Control • Most objects (not all) are managed by the file system • Data and programs are stored in files • Some programs are OS programs • Some files contain configuration information • Typical permissions for files are: • read, write, execute
Filesystems (continued) • Impersonation – changes the owner of a program so that a user can run an system program with privileges • Allows users to do necessary tasks that require root privilege • Necessary, but dangerous
Access Control List • Access Control List (ACL) – a column from the access control matrix • Each object has a list of access control entries • (user/group, operation, permission – allow/deny) • The operating system checks the permissions on each file access • This is the Windows approach
Access Control - Capabilities • A row from the access control matrix is associated with each subject • Each subject has a list of objects and what operations can be performed on them • Unix (Linux, OSX, FreeBSD) takes a hybrid approach
Unix Approach • Each file has an owner and a group • A group is a set of users • Users can belong to more than one group • Each file has three sets of permissions – one for the owner, one for the group and one for everyone else • The permissions are read, write and execute
Unix Approach (continued) • The operating system checks the permissions on each access • Objects carry their permission list (ACL-like) • Group membership grants access rights (capability-like) • Root/superuser overrides all permission checking • DAC
Reference Monitors • Separate policy from mechanism • Policy is documentation • Mechanism is the implementation of policy • System must practice complete mediation (check every access) in order to be secure • The ‘reference monitor’ is responsible for checking all accesses
Trusted Computing Base (TCB) • The set of things we are forced to trust • Should include the CPU and MMU • Should NOT include user processes • TCB should be as small as possible
Operating System Components • The essentials – kernel, drivers, command interpreter, filesystem • Add-ons • Networking • Remote procedure calls • Cryptography
Access to the OS • System calls – interface to the OS • POSIX • Portable Operating System Interface • 1980’s • IEEE standard • Standard API for operating systems • Portability • Moderately successful
Access to OS (continued) • Win32 API • Standard interface to Windows • Similar to POSIX • Permits underlying changes without changes to user programs making system calls
Remote Procedure Calls • Remote Procedure Calls (RPC) allow one computer to call procedures located on a different computer, more or less transparently • Library of functions to support this • Marshalling – serializing arguments so they can be sent over a network • Local call to stub -> marshall -> pass over network -> unmarshall -> actual call • Possible security hole
RPC Technologies • SunRPC for Unix • MSRPC/DCOM for Microsoft • DCOM has been replaced by .NET • RPC, in general, is being replaced by web services
Crypto • Operating systems support encryption and key storage • Applications use operating systems services • Another avenue for attacks
Extending the Kernel • Drivers for peripheral hardware – execute with kernel privileges
Attacks • Learn confidential information • Set up a computer so it can serve as the basis for attacking another computer • Hide the real attacker
Attack Strategies • 0wn or r00t – attacker has complete control over a system • Can install and run programs • Can access all files • Can modify user accounts • Access a low-privilege account and escalate to system ownership
Attack Strategies (continued) • Services available via the Internet are especially vulnerable to attack (ftp, http servers, DCOM) • Remote code execution • Attacker exploits service • Transfers program to victim • Runs program on victim
Attacks • Keystroke loggers • Allows attacker to capture keystrokes • Used to discover passwords and elevating privilege • rootkits – larger set of attack tools • bots – remotely controlled programs that perform denial of service attacks (robots) • botnets – a set of machines infected with bots
Attacks (continued) • Denial of service – bombarding a site with requests for service or malformed requests which prevent real users from accessing the service • Distributed denial of service attacks – a denial of service attack in which the requests for service come from many computers • Threats/blackmail
Attacks (continued) • guest accounts may be exploited to escalate privilege • Accounts with weak or no passwords may be exploited similarly • Worms – self-replicating programs which take advantage of network vulnerabilities to propagate themselves