Computer Security CSE 543
Popular in Course
Popular in Computer Science and Engineering
This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 19 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.
Reviews for Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 11/01/15
CSE 543 Computer Security Fall 2006 Lecture 26 Linux MAC Security December 12 2006 URL httpwwwcselosuedutiaeoercse543f06 CSE543 Computer and Network Security Fall 2006 Professor Jaeger UNIX Discretionary Access Control PENNSTATE Subjects Processes Runs with a UID Objects Files Mode bitsjdescribe file ACL Operations Read Write Execute Mode bits User group and others Administration Owner UID manages file mode bits YOU RE ONE 0F 1 E I l PENN TATE UNIX Discretionary Access Control Q What are the problems with UNIX DAC 397 1 in a 9995qu VIOLE CONTENT 39 T ION NT VlEWER DlSCRE 395 ADVISED UNIX Discretionary Access Control Q What are the problems with UNIX DAC Some answers incomplete list Fully privileged UID root Lots of programs run as root Imagine a vulnerability in one program game over Mode bits are not very expressive Try to run a program with only some of your access rights No network controls Any program can send a packet anywhere delegate to firewall Owner administration does not even mean user administration Any program running as you can give away rights to your files Also consider transition Setuid enable execution of code with more privilege I l Key Issues Control access Limit subjects access to objects for operations Can we specify assign a process any set of rights Do we mediate all objects and operations Administration Manage the distribution of rights among subjects Should all programs be able to do this Should any program be able to do this Transition Change from one subject to another Should you be able to increase your access If so under what conditions PENNSTATE Windows Access Control Authorization of Processes to Objects Try to Solve UNIX DAC Limitations Control Access Assign rights to programs Lots of Research ATOMICMAIL TRON Janus UARC Administration Mandatory Access Control Intersection of rights more or less Transitions Scienti c Method arm Real World Limit rights in any transition Limit ways to escalation A I H alLai39s eld VeganJr 3F T lnm I 5 Mint mt quotquot 31 Vimrel z Mgg PmblmAPPiimtigm A hail I r r 53 2 giant stark ka 4 kw 5 Lin ux Access Control Systems Patches to the Linux kernel Enforce different access control policy Restrict root processes Some hardening Argus PitBull Limited permissions for root services RSBAC MAC enforcement and virus scanning grsecurity RBAC MAC system Auditing buffer overflow prevention Itmp race protection etc LIDS MAC system for root confinement I l Linus Directive Following a presentation of SELinux to the Linux Kernel Summit March 2001 Linus s reaction Linus Torvalds made a set of remarks that described a security framework he would be willing to consider for inclusion in the mainstream Linux kernel He described a general framework that would provide a set of security hooks to control operations on kernel objects and a set of opaque security fields in kernel data structures for maintaining security attributes This framework could then be used by loadable kernel modules to implement any desired model of security Result Project to build a reference monitor in that manner PENNSTATE Linux Security Modules Framework E Traditional Reference Monitor in Linux Ent Points 1 J mam Interface Authorize 39 equest PENNSTATE Linux Security Modules Difference from discretionary controls Control Access More object types 29 different object types Per packet superblock shared memory Finergrained operations File ioctl create getattr setattr lock append Administration Not dependent on user Transitions Left to module Already has authorizations using discretionary rights What happened to those I l Linux Security Modules PENNSTATE How do we design such a reference monitor Mediation What operations in the kernel need mediation Different patch writers had different ideas of operations How can this be rectified Does the policy enforced determine the reference monitor Security labeling of objects subjects How are objects labeled How are subjects labeled Remember this is a mandatory access control system Do we know that the hook placements are correct Source code verification of hook placements was done Complete mediation and Complete authorization I l PENNSTATE Linux Security Modules Usage Others POSIX Capabilities Module Stacking and Auditing Load Sysoall Policy Register Unregister Linux Security Modules Status Available in Linux 26 Packetlevel controls upstreamed in 2616 Modules POSIX Capabilities module SELinux module Domain and Type Enforcement Openwall includes grsecurity function LIDS AppArmor Not everyone is in favor PENNSTATE PENNSTATE SELinux SELinux System SELinux SELInux SELinuxaware Pollcy Bootstrap SerVIces Management SELinuxfs Linux Kernel SELinux SELinux Installed Available by default in Fedora Core 35 SELinuxenabled kernel and userland packages Configurationbootstrap letcselinux Eg Policy Users specify roles and labels security context Files Labels stored in xattrs of ext3 filesystem Need to relabel any mounted filesystem Communicate lselinux files Modes disabled permissive enforcing Running SELinux id Z provides SELinux security context ls Z provides security context of files Turn enforcing on echo 1 gt lselinuxenforce Audit2allow Turn logged denials into permissions I l PENNSTATE SELinux Policy Extended Type Enforcement Subjects are labeled with types Objects are labeled with types Objects also have classes datatypes Eg files socket files directories lPCs superblocks etc Permission allow subjecttype objecttypeclass operationset Subject type can change domain transition Based on code executed Other systems that can do this Subject types are limited by roles Your role determines possible subject transitions I l PENNSTATE SELinux in Action Servicing remote service requests initrc Linux Kernel SELinux Advantages PENN TE Control Access Comprehensive authorization of each LSM mediation Policy enforcement for each LSM hook Services updated to use policy Administration Services for building and managing policy Community has developed policies Strict Least privilege Targeted Sandbox network services Transition Limits Also Adopted by major Linux vendors RedHat anyway Companies doing training and deployment C t t ted in Linux develoment rocess PENNSTATE SELinux Challenges Policy complexity 30000 policy statements in strict policy Hide them Application complexity Policies for application use RedHat will do it Deployment complexity Buildconfiglabeletc RedHat will do it What if an application doesn t work Integration with other security features Hardening and integrity measurement I l SuSE AppArmor PENNSTATE Aim confine root processes connected to the network Subaim Enable these to be setup easily AppArmor is an LSM Policies are called pro les per daemon Policies include POSIX capabilities and files Are these policies comprehensive Policy generation tools are an emphasis Run program in learning mode Log analysis program queries user regarding log Extras Domain transitions same program unconfined Scan for network programs to add controls Keyboard and mouse input programs I l CSE 543 Computer Security Fall 2006 Lecture 12 OS Security October 17 2006 URL httpwwwcsepsuedutiaegercse543f06 OS Security PENNSTATE An secure 08 should provide the following mechanisms Memory protection File protection General object protection Access authentication How do we go about designing a trusted 08 Trust in this context means something different from Secure PENNSTATE Trust vs Security When you get your medication at a pharmacy you are trusting that it is appropriate for the condition you are addressing In effect you are arguing internally The doctor was correct in prescribing this drug The FDA vetted the drug through scientific analysis and clinical trials No maniac has tampered with the bottle The first two are are matters trust and the last is a matter of security An 08 needs to perform similar due diligence to achieve trust and security I J 57 Access Control Lists mg ACL a list of the principals that are authorized to have access to some object 39 Egi Ii Or more correctly O 8 51 Y 1 1 D 02 S1 82 S3 Y D 03 S3 Y We are going to see a lot of examples of these throughout the semester I J ACL in systems PM ACLs are typically used to implement discretionary access control For example you define the UNIX file system ACLs using the chmod utility Discretionary Access Control in UNIX FS PENNSTATE The UNIX filesystem implements discretionary access control through file permissions set by user The set of objects is the files in the filesystem eg letcpasswd Each file an owner and group subjects The owner is typically the creator of the file and the entity in control of the access control policy Note this can be overridden by the root user There is a additional subject called world which represents everyone else PENNSTATE UNIX filesystem rights There are three rights in the UNIX filesystem READ allows the subject process to read the contents of the file WRITE allows the subject process to alter the contents of the file EXECUTE allows the subject process to execute the contents of the file eg shell program executable quot we use on m UN IX Q why is execute a right 7 3 quotquot V Q does the right to read a program implicitly give you the right to execute it The UNIX FS access policy PENNTE Really this is a bit string encoding an access matrix Eg rwx rwx rwx gt World Group User And a policy is encoded as x if enabled and if not eg rWXl WX Says user can read write and execute group can read and write and world can execute only I J Caveats UNIX Filesystem PENNTE Access is often not really this easy you need to have certain rights to parent directories to access a file execute for example The reasons for this are quite esoteric The preceding policy may appear to be contradictory A member of the group does not have execute rights but members of the world do so A user appears to be both allowed and prohibited from executing access Not really these policies are monotonic the absence of a right does not mean they should not get access at all just that that particular identity eg group member world should not be given that right I J PENNSTATE Capabilities A capability is the tuple object rights A capability system implements access control by checking if the process has an appropriate capability Simple right This is a little like a ticket in the Kerberos system Q Does this eliminate the need for authentication Capabilities PENN A Well yes and no Capabilities remove the overhead of managing per object rights but add the overhead of managing capabm es Moreover to get any real security they have to be unforgeable Hardware tags to protect capabilities Protected address spaceregisters Language based techniques Enforce access restrictions on caps Cryptography Make them unforgeable I J PENNSTATE Real 08 Capabilities Process Table The OS kernel manages capabilities in the process table out of reach of the process Capabilities added by user requests that comply with policy I J PENNSTATE User space capability Well what are the requirements Authenticityintegrity do not want malicious process to forge capabilities Start with the data itself object rights Object is typically encoded with identifier or by some other tag capabilities are sometimes known as tags Rights are often fixed read modify write execute etc Now do what you with any other data assume the kernel has a secret key k Ek 0 r1 r2 rn What s wrong with this construction I got it from the website of one of the experts in the area I J PENNSTATE The right construction v Encryption does not provide authenticityintegrity it provides confidentiality Oh r1 r2 rnHMACk Oh r1 r2 rn So how would you attack the preceding construction PENNSTATE A fictional Capability Example We use the Is lt command to view the contents of our home directory in a OS implementing capabilities Initially our shell process has RWX capabilities for our home directory and RX capabilities for all the directories to the root The ls lt command is forked and the shell delegates the directory permissions by giving it the capabilities Note that the capabilities are not tied to any subject The ls lt process exercises the rights to read the directories structure all the way down to the local Of course the Is lt process now need to obtain read rights to the files to get their specific metainformation and obtains them by appealing to the security manager in kernel the request fulfills the policy and they are added and exercised The ls lt uses access rights given to the terminal to write output Note there are many ways that the policy can be implemented rights handed off etc We will talk about a couple in the following discussions I J PENNSTATE Capability Confinement Problem Capabilities and Lattice Models Don t Mix Suppose A is higher secrecy than B Acan read B s capabilities Q Can a Trojan horse running as A write to Obj Capability Challenges PM How d you get those capabilities Stored with program user Compare with getting permissions by a process label How do I get them back Once granted nearly impossible to revoke
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'