242 Class Note for CSE 543 with Professor McDaniel at PSU
242 Class Note for CSE 543 with Professor McDaniel at PSU
Popular in Course
Popular in Department
verified elite notetaker
One Day of Notes
verified elite notetaker
verified elite notetaker
One Day of Notes
verified elite notetaker
verified elite notetaker
verified elite notetaker
This 49 page Class Notes was uploaded by an elite notetaker on Friday February 6, 2015. The Class Notes belongs to a course at Pennsylvania State University taught by a professor in Fall. Since its upload, it has received 13 views.
Reviews for 242 Class Note for CSE 543 with Professor McDaniel at PSU
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/06/15
Systems and Internet Infrastructure Security 6325433 lmredmeim t9 Gershpr am NWHR Secun We QBQWa iif g System Seewilty Professor Patrick McDaniel Fall 2009 PENNS39WE OS Security a An secure OS should provide at least the following mechanisms gt Memory protection gt File protection gt General object protection gt Access authentication How do we go about designing atrusted 05 Trust in this context means something different from Secure PENNSTAT Trust vs Security E When you get your medication at a pharmacy you are trusting that it is appropriate for the condition you are addressing In effect you are arguing internally gt The doctor was correct in prescribing this drug gt The FDA vetted the drug through scienti c analysis and clinical trials gt No maniac has tampered with the bottle The rst two are are matters trust and the last is a matter of security An OS needs to perform similar due diligence to achieve trust and security CSE543 Introduction to Computer and Network Security Access Control Lists PENNi fT ACL a list of the principals that are authorized to have access to some object Or more correctly 01 S1 02 S1 82 S3 03 S3 We are going to see a lot of examples of these throughout the semester CSE543 Introduction to Computer and Network Security ACL in systems ACLs are typically used to implement discretionary access control For example you de ne the UNIX le system ACLs using the chmod utility manew mum PENNSTAT Discretionary Access g The UNIX lesystem implements discretionary access control through le permissions set by user The set of objects is the les in the lesystem gt egetcpasswd Each le an owner and group subjects gt The owner is typically the creator of the le and the entity in control of the access control policy gt Note this can be overridden by the root user There is a additional subject called world which represents everyone else CSE543 Introduction to Computer and Network Security PENNSTATE UNIX filesystem rights a 0 There are three rights in the UNIX lesystem gt READ allows the subject process to read the contents of the le gt WRITE allows the subject process to alter the contents of the le gt EXECUTE allows the subject process to execute the contents of the le eg shell program executable quot39 uva FREE on ma UNIX C MW 0r sen lABS g 0 Q why is execute a right 0 Q does the right to read a program implicitly give you PENNSTATE The UNIX FS access policy Really this is a bit string encoding an access matrix Eg I Iquot WX WX WX World Group Owner rH 6 H H H And a policy is encoded as w x if enabled and H H if not eg IquotWXquotW X Says user can read write and execute group can read and write and world can execute only CSE543 Introduction to Computer and Network Security PENNSTAT Caveats UNIX Filesystem g Access is often not really this easy you need to have certain rights to parent directories to access a le execute for example gt The reasons for this are quite esoteric The preceding policy may appear to be contradictory gt A member of the group does not have execute rights but members of the world do so gt A user appears to be both allowed and prohibited from executing access gt Not really these policies are monotonic the absence of a right does not mean they should not get access at all just that that particular identity eg group member world should not be given that right CSE543 Introduction to Computer and Network Security PENNSTATE Windows grows up a Windows 2000 marked the beginning of real OS security for the windows systems SEE3913 r Intreujuctim to Gimputer and Network Security PENNSTATE Tokens Like the UlDGID in a UNIX process gt User gt Group gt Aliases gt Privileges prede ned sets of rights May be speci c to a domain Composed into global SID Subsequent processes inherit access tokens gt Different processes may have different rights Page 11 CSE543 Introduction to Computer and Network Security PENNSTATE Access Control Entries g DACL in the security descriptor of an object gt List of access control entries ACEs ACE structure proposed by Swift et al gt Type grant or deny gt Flags gt ObjectType global UID for type limitACEs checked gt InheritedObjectType complex inheritance gt Access rights access mask gt Principal SID principal the ACE applies to Checking algorithm gt ACE matches SID user group alias etc gt ACE denies access for speci ed right deny gt ACE grants access for some rights need full coverage CSE543 Introduction to Computer and Network Security Page 12 Access Checking with ACES MEL Examp e Pvucess uvThvead omen AccessTuken useM u useM am a Group suns u PWHEEE rrrmrmsuurr u omersccess rrrmrmsuurr Secunlv Descumuv u ownerer a Group am a SACL DACL Jo Group 1 Group 2 Pvucess urThvead Access Taken user 2 Access rs demed Access rs allowed Gsr Group 2 Group 3 PENNSTATE Window Vista Integrity g Integrity protection for writing De nes a series of protection level of increasing protection gt untrusted lowest gt low Internet gt medium user gt high admin gt system gt installer highest Semantics If subject s process s integrity level dominates the object s integrity level then the write is allowed CSE543 7 Introduction to Computer and Network Security Page 14 PENNSTAT Vista Integrity g Does Vista Integrity protect the integrity ofJ s public key le 02 CSE543 Introduction to Computer and Network Security And now back to UNIX UID Transition Setuid PENN A special bit in the mode bits Execute file gt Resulting process has the effective and fs UIDGID of le owner Enables a user to escalate privilege gt For executing a trusted service Downside User de nes execution environment gt eg Environment variables input arguments open descriptors etc Service must protect itself or user can gain root access AII UNIX services involves root processes many via setuid CSE543 Introduction to Computer and Network Security Page 17 PENNSTAT tmp Vulnerability g creatpathname mode OEXCL flag gt if le already exists this is an error Potential attack gt Attacker creates le in shared space tmp gt Give it a lename used by a higher authority service gt Make sure that service has permission to the le gt If creat is used without OEXCL then can share the le with the higher authority process CSE543 Introduction to Computer and Network Security PENNSTATE Other Vulnerabilities g Objects wo suf cient control gt Windows registry network Libraries gt Load order permits malware de ned libraries Executables are everywhere gt Web content Email Documents Word Labeling is wrong gt Mount a new le system device Malware can modify your permissions gt Inherent to discretionary model CSE543 Introduction to Computer and Network Security Page 19 PENNSTATE Sandboxing g An execution environment for programs that contains a limited set of rights gt A subset of your permissions meet secrecy and integrity goals gt Cannot be changed by the running program mandatory CSE543 Introduction to Computer and Network Security Page 20 UNIX Chroot Create a domain in which a process is con ned gt Process can only readwrite within le system subtree gt Applies to all descendant processes gt Can carry le descriptors in chroot jail mnnnpnly nquot Parker rns cannunLElArleneC rris Do NoTswwE CSE54S r li39ltitu luiv oi39l n C Ji39 pulei and Nammark Security PENNSTATE Chroot Vulnerability g Unfortunately chroot can trick its own system gt de ne a passwd le at ltnewrootgtetcpasswd gt run su su thinks that this is the real passwd le gt gives root access Use mknod to create device le to access physical memory Setup requires great care gt Never run chroot process as root gt Must not be able to get root privileges gt No control by chrooted process user of contents in jail gt Be careful about descriptors open sockets IPC that may be available CSE543 Introduction to Computer and Network Security Page 22 PENNSTATE Processspecific Permissions g Design the permissions of a process specific to its use 39 39T How do we change the permissions of a process in an ACL system CSE543 Introduction to Computer and Network Security Page 23 Confused Deputy Problem PM Imagine a multiclient server gt Clients have a different set of objects that they can access In an ACL system the server always has access to all the objects gt What happens if a client tricks the server into accessing into another client s objects gt Shouldn t the server only have access to that client s objects for its requests CSE54S r lr39ityluluntllln to Computer and Network Security PENNSTATE Capabilities 3 A capability is the tuple object rights A capability system implements access control by checking if the process has an appropriate capability gt Simple right gt This is a little like a ticket in the Kerberos system Q Does this eliminate the need for authentication Capabilities PENN AWe yes and no Capabilities remove the overhead of managing per object rights but add the overhead of managing capabilities Moreover to get any real security they have to be unforgeable gt Hardware tags to protect capabilities gt Protected address spaceregisters gt Language based techniques Enforce access restrictions on caps gt Cryptography Make them unforgeable CSE543 Introduction to Computer and Network Security Page 26 Real 08 Capabilities PENNi fT Process Table l The OS kernel manages capabilities in the process table out of reach of the process Capabilities added by user requests that comply with policy CSE543 Introduction to Computer and Network Security PENNSTAT User space capability g Well what are the requirements gt Authenticityintegrity do not want malicious process to forge capabilities Start with the data itself object rights gt Object is typically encoded with identi er or by some other tag capabilities are sometimes known as tags gt Rights are often xed read modify write execute etc Now do what you with any other data assume the kernel has a secret key k Ek Op rl r2 rn What s wrong with this construction I got it from the website of one of the experts in the area CSE543 Introduction to Computer and Network Security PENNSTAT The right construction g Encryption does not provide authenticityintegrity it provides con dentiality Op rl r2 rnHMACk Op rl r2 rn So how would you attack the preceding construction CSE543 Introduction to Computer and Network Security PENNSTATE A fictional Capability Example g We use the Is lt command to view the contents of our home directory in a OS implementing capabilities gt Initially our shell process has RWX capabilities for our home directory and RX capabilities for all the directories to the root gt The ls t command is execed and the shell delegates the directory permissions by giving ls the capabilities Note that the capabilities are not tied to any subject gt The ls t process exercises the rights to read the directories structure all the way down to the local gt Of course the Is lt process now need to obtain read rights to the les to get their speci c metainformation and obtains them by appealing to the security manager in kernel the request ful lls the policy and they are added and exercised gt The ls lt uses access rights given to the terminal to write output Note there are many ways that the policy can be implemented rights handed off etc We will talk about a couple in the following discussions CSE543 Introduction to Computer and Network Security Page 30 mwwm Procedure Level Protection Domains HYDRA r Each procedure de nes a new protection domain Procedure gt Code gt Data gt Capabilities to other objects Callerindependent Callerdependent templates 39 Local Name Space gt Capabilities are bound here r Record of a procedure invocation procedure instance 39 Process r Stack of LNSs How HYDRA works E CallerDep Capabilities l Capabilities Call Callee Capabilities CallerDep Capabilities 7 Create Callee ll LNS Capabilities QWhich object de nes the protection domain CSE543 Introduction to Computer and Network Security PENNSTATE Implications of FineGrained Protection g Programmer gt Must de ne templates for procedure gt Connect the procedure rights together Performance Impact Q Do we need to manage rights at this level CSE543 7 Introduction to Computer and Network Security MAC Systems PENNSTATE b Major Effort Multics Subsequent proprietary system SCOMP became the basis for secure operating systems design Multiprocessing system developed many OS concepts Including security Begun in I965 Development continued into the mid705 Used until 2000 Initial partners MIT Bell Labs GEHoneywell Other innovations hierarchical lesystems dynamic lin king 55554 7 Introducan m meputar and Natwm Security PENNSTATE Multics Goals Secrecy gt Multilevel security Integrity gt Rings of protection Reference Monitoring gt Mediate segment access ring crossing Resulting system is considered a high point in secure system design OSE543 Introduction to Computer and Network Security Page 35 PENNSTATE Multics Basics g Processes are programs that are executing within Multics seems obvious now gt Protection domain is a list of segments gt Stored in the process descriptor segment Segments are stored value regions that are accessible by processes eg memory regions secondary storage gt Segments can be organized into hierarchies gt Local segments memory addresses are accessed directly gt Nonlocal segments are addressed by hierarchy Itaped rive t0p 0k etcconfhttpconf This is the genesis of the modern hierarchical lesystem CSE543 Introduction to Computer and Network Security Page 36 PENNSTATE Segment Management a PDS acts like segment working set for process Process Descriptor Segment gt Segments are addressed by name path gt If authorized added to PBS gt Multics security is de ned with respect to segments 39 The supervisor kernel makes decisions and adds to PBS gt supervisor is isolated by protection rings CSE54S r immjimnm m Corriputei and Network Securitv PENNSTATE Protection Rings Successiver lessprivileged domains Modern CPUs support 4 rings gt Use 2 mainly Kernel and user Intel x86 rings Least privileged gt Ring 0 has kernel D E D D gt Ring 3 has application code Most privileged Example Multics 64 rings in theory 8 in practice CSESAS r Inlroduclion l0 Compuler and Nelwork Securin Page 38 What Are Protection Rings Palling Coarsegrained Hardware Protection Mechanism Boundary between Levels ofAuthority gt Most privileged ring 0 gt Monotonically less privileged above Fundamental Purpose gt Protect system integrity Least privileged Protect kernel from services Protect services from apps So on I Most privileged CSESAS r Inlroduclion l0 Compuler and Nelwork Securin Page 39 PENNSTATE Intel Protection Ring Rules g Each Memory Segment has a privilege level ring number The CPU has a Current Protection Level CPL gt Level of the segment where instructions are being read Program can readwrite in segments of higher level than CPL gt kernel can readwrite user space gt user cannot readwrite kernel why not ierminal r ssh 5925 3 lquottu i ruquotrned i o d i spotcher quotno f ark 39 CSE543 Introduction to Computer and Network Security Page 40 PENNSTAT Protection Ring Rules g Program cannot call code of higher privilege directly gt Gate is a special memory address where lowerprivilege code can call higher Enables OS to control where applications call it system calls CSE543 Introduction to Computer and Network Security PENNSTATE Multics Interpretation 5 Kernel resides in ring 0 Process runs in a ring r gt Access based on current ring 6 Process accesses data segment b Each data segment has an access 5 bracket a a2 4 al lt a2 gt Describes read and write access to Ring 3 segment r is the current ring 2 r lt alzaccess permitted 1 al lt r lt a2 r and x permitted w denied a2 lt r all access denied 0 PENNSTATE Multics Interpretation con t Also different procedure segments gt with call brackets c c2 cl lt c2 7 gt and access brackets al a2 6 gt The following must be true a2 cl gt Rights to execute code in a new procedure segment 5 r lt alzaccess permitted with ringcrossing fault al lt r lt a2 clzaccess permitted and no fault 4 a2 lt r lt c2 access permitted through a valid gate c2 lt r access denied Rlng 3 What s it mean gt case ringcrossing fault changes procedure s ring 2 increases from rto al 1 gt case 2 keep same ring number gt case 3zgate checks args decreases ring number 0 Target code segment de nes the new ring pine and Ne PENNSTATE Examples g Process in ring 3 accesses data segment gt access bracket 2 4 gt What operations can be performed Process in ring 5 accesses same data segment gt What operations can be performed Process in ring 5 accesses procedure segment gt access bracket 24 gt call bracket 4 6 gt Can call be made gt How do we determine the new ring gt Can new procedure segment access the data segment above CSE543 Introduction to Computer and Network Security Page 44 PENNSTATE Multics Segments g Named segments are protected by access control lists and MLS protections gt Hierarchically arranged gt Precursor to hierarchical le systems Memory segment access is controlled by hardware monitor gt Multics hardware retrieves segment descriptor word SDW Like a le descriptor gt Based on rights in the SDW determines whether can access segment Master mode like root can override protections CSE543 Introduction to Computer and Network Security Page 45 PENNSTATE Multics Vulnerability Analysis g Detailed security analysis covering gt Hardware gt Software gt Procedural features administration Good news gt Design for security gt System language prevents buffer overflows De ned buffer sizes gt Hardware features prevent buffer overflows Addressing off segment is an error Stack grows up gt System is much smaller than current UNIX systems CSE543 Introduction to Computer and Network Security Page 46 PENNSTATE Vulnerabilities Found a Hardware gt Indirect addressing incomplete mediation 39 Check direct but not indirect address gt Mistaken modification introduced the error Software gt Ring protection done in software 39 Argument validation was flawed 39 Certain type of pointer was handled incorrectly gt Master mode transfer 39 For performance run master mode program signaler in user ring 39 Development assumed trusted input to signaler bad combo Procedural gt Trap door insertion goes undetected CSE543 Introduction to Computer and Network Security Page 47 Midterm PENNET NextThursday IOl3O9 in class Exam will test three kinds of things gt knowledge do you know terminologyapproaches gt synthesis can you extrapolate or compare concepts gt application can you apply what you learned Structure gt l4 3 point short answer questions 42 points gt 4 7 point long answer questions 28 points gt 3 IO point problem questions 30 points CSE543 Introduction to Computer and Network Security PENNSTATE Sample Questions g Short answer question Why are active attacks easier to detect than passive attacks Long answer question Explain what resource imbalances are and why managing them is so important to protecting a network Problem question Acme archival storage systems is a company that promises to securely store customer data They provide a online system that the customer submits documents for storage which Acme encrypts using AES and a key speci c to each requestAcme only accepts requests from 8am to 5pm Monday through Friday and they are open on all holidays not falling on a weekend For the purposes of this exercise you can assume that Acme has been in operation for exactly 700 days A customer document di is encrypted as Edi kr where the key kr is computed the kr hti and ti is the timestamp with millisecond granularity of the request submission What is the entropy of the key CSE543 Introduction to Computer and Network Security Page 49
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'