Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12 Operating System Security. Operating System  each layer of code needs measures in place to provide appropriate security services  each layer.

Similar presentations


Presentation on theme: "Chapter 12 Operating System Security. Operating System  each layer of code needs measures in place to provide appropriate security services  each layer."— Presentation transcript:

1 Chapter 12 Operating System Security

2 Operating System  each layer of code needs measures in place to provide appropriate security services  each layer is vulnerable to attack from below if the lower layers are not secured appropriately

3 Measures the 2010 Australian Defense Signals Directorate (DSD) list the “Top 35 Mitigation Strategies” the 2010 Australian Defense Signals Directorate (DSD) list the “Top 35 Mitigation Strategies” over 70% of the targeted cyber intrusions investigated by DSD in 2009 could have been prevented over 70% of the targeted cyber intrusions investigated by DSD in 2009 could have been prevented the top four measures for prevention are: the top four measures for prevention are: patch operating systems and applications using auto-update patch operating systems and applications using auto-update patch third-party applications patch third-party applications restrict admin privileges to users who need them restrict admin privileges to users who need them white-list approved applications white-list approved applications

4 Operating System Security possible for a system to be compromised during the installation process before it can install the latest patches possible for a system to be compromised during the installation process before it can install the latest patches building and deploying a system should be a planned process designed to counter this threat building and deploying a system should be a planned process designed to counter this threat process must: process must: assess risks and plan the system deployment assess risks and plan the system deployment secure the underlying operating system and then the key applications secure the underlying operating system and then the key applications ensure any critical content is secured ensure any critical content is secured ensure appropriate network protection mechanisms are used ensure appropriate network protection mechanisms are used ensure appropriate processes are used to maintain security ensure appropriate processes are used to maintain security

5 System Security Planning Process the purpose of the system, the type of information stored, the applications and services provided, and their security requirements the categories of users of the system, the privileges they have, and the types of information they can access how the users are authenticated how access to the information stored on the system is managed what access the system has to information stored on other hosts, such as file or database servers, and how this is managed who will administer the system, and how they will manage the system (via local or remote access) any additional security measures required on the system, including the use of host firewalls, anti-virus or other malware protection mechanisms, and logging

6 Operating Systems Hardening first critical step in securing a system is to secure the base operating system first critical step in securing a system is to secure the base operating system basic steps basic steps install and patch the operating system install and patch the operating system harden and configure the operating system to adequately address the indentified security needs of the system harden and configure the operating system to adequately address the indentified security needs of the system install and configure additional security controls, such as anti- virus, host-based firewalls, and intrusion detection system (IDS) install and configure additional security controls, such as anti- virus, host-based firewalls, and intrusion detection system (IDS) test the security of the basic operating system to ensure that the steps taken adequately address its security needs test the security of the basic operating system to ensure that the steps taken adequately address its security needs

7 Initial Setup and Patching system security begins with the installation of the operating system ideally new systems should be constructed on a protected network full installation and hardening process should occur before the system is deployed to its intended location initial installation should install the minimum necessary for the desired system overall boot process must also be secured the integrity and source of any additional device driver code must be carefully validated critical that the system be kept up to date, with all critical security related patches installed should stage and validate all patches on the test systems before deploying them in production

8 if fewer software packages are available to run the risk is reduced if fewer software packages are available to run the risk is reduced system planning process should identify what is actually required for a given system system planning process should identify what is actually required for a given system when performing the initial installation the supplied defaults should not be used default configuration is set to maximize ease of use and functionality rather than security if additional packages are needed later they can be installed when they are required Remove Unnecessary Services, Applications, Protocols

9 not all users with access to a system will have the same access to all data and resources on that system not all users with access to a system will have the same access to all data and resources on that system elevated privileges should be restricted to only those users that require them, and then only when they are needed to perform a task elevated privileges should be restricted to only those users that require them, and then only when they are needed to perform a task system planning process should consider: categories of users on the system privileges they have types of information they can access how and where they are defined and authenticated default accounts included as part of the system installation should be secured those that are not required should be either removed or disabled policies that apply to authentication credentials configured Configure Users, Groups, and Authentication

10 once the users and groups are defined, appropriate permissions can be set on data and resources once the users and groups are defined, appropriate permissions can be set on data and resources many of the security hardening guides provide lists of recommended changes to the default access configuration many of the security hardening guides provide lists of recommended changes to the default access configuration Configure Resource Controls Install Additional Security Controls further security possible by installing and configuring additional security tools: further security possible by installing and configuring additional security tools: anti-virus software anti-virus software host-based firewalls host-based firewalls IDS or IPS software IDS or IPS software application white-listing application white-listing

11 final step in the process of initially securing the base operating system is security testing final step in the process of initially securing the base operating system is security testing goal: goal: ensure the previous security configuration steps are correctly implemented ensure the previous security configuration steps are correctly implemented identify any possible vulnerabilities identify any possible vulnerabilities checklists are included in security hardening guides there are programs specifically designed to: review a system to ensure that a system meets the basic security requirements scan for known vulnerabilities and poor configuration practices should be done following the initial hardening of the system repeated periodically as part of the security maintenance process Test the System Security

12 Application Configuration may include: may include: creating and specifying appropriate data storage areas for application creating and specifying appropriate data storage areas for application making appropriate changes to the application or service default configuration details making appropriate changes to the application or service default configuration details some applications or services may include: some applications or services may include: default data default data scripts scripts user accounts user accounts of particular concern with remotely accessed services such as Web and file transfer services of particular concern with remotely accessed services such as Web and file transfer services risk from this form of attack is reduced by ensuring that most of the files can only be read, but not written, by the server risk from this form of attack is reduced by ensuring that most of the files can only be read, but not written, by the server

13 Encryption Technology is a key enabling technology that may be used to secure data both in transit and when stored must be configured and appropriate cryptographic keys created, signed, and secured if secure network services are provided using TLS or IPsec suitable public and private keys must be generated for each of them if secure network services are provided using SSH, appropriate server and client keys must be created cryptographic file systems are another use of encryption

14 Security Maintenance process of maintaining security is continuous process of maintaining security is continuous security maintenance includes: security maintenance includes: monitoring and analyzing logging information monitoring and analyzing logging information performing regular backups performing regular backups recovering from security compromises recovering from security compromises regularly testing system security regularly testing system security using appropriate software maintenance processes to patch and update all critical software, and to monitor and revise configuration as needed using appropriate software maintenance processes to patch and update all critical software, and to monitor and revise configuration as needed

15 Logging can only inform you about bad things that have already happened in the event of a system breach or failure, system administrators can more quickly identify what happened key is to ensure you capture the correct data and then appropriately monitor and analyze this data information can be generated by the system, network and applications range of data acquired should be determined during the system planning stage generates significant volumes of information and it is important that sufficient space is allocated for them automated analysis is preferred

16 Data Backup and Archive performing regular backups of data is a critical control that assists with maintaining the integrity of the system and user data may be legal or operational requirements for the retention of data backup the process of making copies of data at regular intervals archive the process of retaining copies of data over extended periods of time in order to meet legal and operational requirements to access past data needs and policy relating to backup and archive should be determined during the system planning stage kept online or offline stored locally or transported to a remote site trade-offs include ease of implementation and cost versus greater security and robustness against different threats

17 Linux/Unix Security patch management patch management keeping security patches up to date is a widely recognized and critical control for maintaining security keeping security patches up to date is a widely recognized and critical control for maintaining security application and service configuration application and service configuration most commonly implemented using separate text files for each application and service most commonly implemented using separate text files for each application and service generally located either in the /etc directory or in the installation tree for a specific application generally located either in the /etc directory or in the installation tree for a specific application individual user configurations that can override the system defaults are located in hidden “dot” files in each user’s home directory individual user configurations that can override the system defaults are located in hidden “dot” files in each user’s home directory most important changes needed to improve system security are to disable services and applications that are not required most important changes needed to improve system security are to disable services and applications that are not required

18 Linux/Unix Security users, groups, and permissions users, groups, and permissions access is specified as granting read, write, and execute permissions to each of owner, group, and others for each resource access is specified as granting read, write, and execute permissions to each of owner, group, and others for each resource guides recommend changing the access permissions for critical directories and files guides recommend changing the access permissions for critical directories and files local exploit local exploit software vulnerability that can be exploited by an attacker to gain elevated privileges software vulnerability that can be exploited by an attacker to gain elevated privileges remote exploit remote exploit software vulnerability in a network server that could be triggered by a remote attacker software vulnerability in a network server that could be triggered by a remote attacker

19 Linux/Unix Security remote access controls several host firewall programs may be used most systems provide an administrative utility to select which services will be permitted to access the system logging and log rotation should not assume that the default setting is necessarily appropriate

20 Linux/Unix Security chroot jail chroot jail restricts the server’s view of the file system to just a specified portion restricts the server’s view of the file system to just a specified portion uses chroot system call to confine a process by mapping the root of the filesystem to some other directory uses chroot system call to confine a process by mapping the root of the filesystem to some other directory file directories outside the chroot jail aren’t visible or reachable file directories outside the chroot jail aren’t visible or reachable main disadvantage is added complexity main disadvantage is added complexity

21 Windows Security patch management “Windows Update” and “Windows Server Update Service” assist with regular maintenance and should be used third party applications also provide automatic update support users administration and access controls systems implement discretionary access controls resources Vista and later systems include mandatory integrity controls objects are labeled as being of low, medium, high, or system integrity level system ensures the subject’s integrity is equal or higher than the object’s level implements a form of the Biba Integrity model

22 Windows Security Users Administration and Access Controls Windows systems also define privileges system wide and granted to user accounts combination of share and NTFS permissions may be used to provide additional security and granularity when accessing files on a shared resource User Account Control (UAC) provided in Vista and later systems assists with ensuring users with administrative rights only use them when required, otherwise accesses the system as a normal user Low Privilege Service Accounts used for long-lived service processes such as file, print, and DNS services

23 Windows Security application and service configuration much of the configuration information is centralized in the Registry forms a database of keys and values that may be queried and interpreted by applications registry keys can be directly modified using the “Registry Editor” more useful for making bulk changes

24 Windows Security other security controls other security controls essential that anti-virus, anti-spyware, personal firewall, and other malware and attack detection and handling software packages are installed and configured essential that anti-virus, anti-spyware, personal firewall, and other malware and attack detection and handling software packages are installed and configured current generation Windows systems include basic firewall and malware countermeasure capabilities current generation Windows systems include basic firewall and malware countermeasure capabilities important to ensure the set of products in use are compatible important to ensure the set of products in use are compatible Windows systems also support a range of cryptographic functions: Windows systems also support a range of cryptographic functions: encrypting files and directories using the Encrypting File System (EFS) encrypting files and directories using the Encrypting File System (EFS) full-disk encryption with AES using BitLocker full-disk encryption with AES using BitLocker “Microsoft Baseline Security Analyzer” “Microsoft Baseline Security Analyzer” free, easy to use tool that checks for compliance with Microsoft’s security recommendations free, easy to use tool that checks for compliance with Microsoft’s security recommendations

25 Virtualization a technology that provides an abstraction of the resources used by some software which runs in a simulated environment called a virtual machine (VM) a technology that provides an abstraction of the resources used by some software which runs in a simulated environment called a virtual machine (VM) benefits include better efficiency in the use of the physical system resources benefits include better efficiency in the use of the physical system resources provides support for multiple distinct operating systems and associated applications on one physical system provides support for multiple distinct operating systems and associated applications on one physical system raises additional security concerns raises additional security concerns

26 Virtualization Alternatives application virtualization allows applications written for one environment to execute on some other operating system full virtualization multiple full operating system instances execute in parallel virtual machine monitor (VMM) hypervisor coordinates access between each of the guests and the actual physical hardware resources

27 Native Virtualization Security Layers

28 Hosted Virtualization Security Layers

29 Virtualization Security Issues security concerns include: security concerns include: guest OS isolation guest OS isolation ensuring that programs executing within a guest OS may only access and use the resources allocated to it ensuring that programs executing within a guest OS may only access and use the resources allocated to it guest OS monitoring by the hypervisor guest OS monitoring by the hypervisor which has privileged access to the programs and data in each guest OS which has privileged access to the programs and data in each guest OS virtualized environment security virtualized environment security particularly image and snapshot management which attackers may attempt to view or modify particularly image and snapshot management which attackers may attempt to view or modify

30 Hypervisor Security should be should be secured using a process similar to securing an operating system secured using a process similar to securing an operating system installed in an isolated environment installed in an isolated environment configured so that it is updated automatically configured so that it is updated automatically monitored for any signs of compromise monitored for any signs of compromise accessed only by authorized administration accessed only by authorized administration may support both local and remote administration so must be configured appropriately may support both local and remote administration so must be configured appropriately remote administration access should be considered and secured in the design of any network firewall and IDS capability in use remote administration access should be considered and secured in the design of any network firewall and IDS capability in use Access to VM image and snapshots must be carefully controlled Access to VM image and snapshots must be carefully controlled

31 Linux Security

32 Linux has evolved into one of the most popular and versatile operating systems Linux has evolved into one of the most popular and versatile operating systems many features mean broad attack surface many features mean broad attack surface can create highly secure Linux systems can create highly secure Linux systems will review: will review: Discretionary Access Controls Discretionary Access Controls typical vulnerabilities and exploits in Linux typical vulnerabilities and exploits in Linux best practices for mitigating those threats best practices for mitigating those threats new improvements to Linux security model new improvements to Linux security model Linux’s traditional security model is: Linux’s traditional security model is: people or proceses with “root” privileges can do anything people or proceses with “root” privileges can do anything other accounts can do much less other accounts can do much less hence attacker’s want to get root privileges hence attacker’s want to get root privileges can run robust, secure Linux systems can run robust, secure Linux systems crux of problem is use of Discretionary Access Controls (DAC) crux of problem is use of Discretionary Access Controls (DAC)

33 Linux Security Transactions

34 File System Security in Linux everything as a file in Linux everything as a file e.g. memory, device-drivers, named pipes, and other system resources e.g. memory, device-drivers, named pipes, and other system resources hence why filesystem security is so important hence why filesystem security is so important I/O to devices is via a “special” file I/O to devices is via a “special” file e.g. /dev/cdrom e.g. /dev/cdrom have other special files like named pipes have other special files like named pipes a conduit between processes / programs a conduit between processes / programs

35 Users and Groups a user-account (user) a user-account (user) represents someone capable of using files represents someone capable of using files associated both with humans and processes associated both with humans and processes a group-account (group) a group-account (group) is a list of user-accounts is a list of user-accounts users have a main group users have a main group may also belong to other groups may also belong to other groups users & groups are not files users & groups are not files

36 Users and Groups user's details are kept in /etc/password user's details are kept in /etc/password maestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash additional group details in /etc/group additional group details in /etc/groupconductors:x:100:pianists:x:102:maestro,volodya use useradd, usermod, userdel to alter use useradd, usermod, userdel to alter

37 File Permissions files have two owners: a user & a group files have two owners: a user & a group each with its own set of permissions each with its own set of permissions with a third set of permissions for other with a third set of permissions for other permissions are to read/write/execute in order user/group/other, cf. permissions are to read/write/execute in order user/group/other, cf. -rw-rw-r-- 1 maestro user Mar 25 01:38 baton.txt set using chmod command set using chmod command

38 Directory Permissions read = list contents read = list contents write = create or delete files in directory write = create or delete files in directory execute = use anything in or change working directory to this directory execute = use anything in or change working directory to this directory e.g. e.g. $ chmod g+rx extreme_casseroles $ ls -l extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38 extreme_casseroles

39 Sticky Bit originally used to lock file in memory originally used to lock file in memory now used on directories to limit delete now used on directories to limit delete if set must own file or dir to delete if set must own file or dir to delete other users cannot delete even if have write other users cannot delete even if have write set using chmod command with +t flag, e.g. set using chmod command with +t flag, e.g. chmod +t extreme_casseroles directory listing includes t or T flag directory listing includes t or T flag drwxrwx--T 8 biff drummers 288 Mar 25 01:38 extreme_casseroles only apply to specific directory not child dirs only apply to specific directory not child dirs

40 SetUID and SetGID setuid bit means program "runs as" owner setuid bit means program "runs as" owner no matter who executes it no matter who executes it setgid bit means run as a member of the group which owns it setgid bit means run as a member of the group which owns it again regardless of who executes it again regardless of who executes it "run as" = "run with same privileges as” "run as" = "run with same privileges as” are very dangerous if set on file owned by root or other privileged account or group are very dangerous if set on file owned by root or other privileged account or group only used on executable files, not shell scripts only used on executable files, not shell scripts setuid has no effect on directories. setgid does and causes any file created in a directory to inherit the directory's group setuid has no effect on directories. setgid does and causes any file created in a directory to inherit the directory's group useful if users belong to other groups and routinely create files to be shared with other members of those groups useful if users belong to other groups and routinely create files to be shared with other members of those groups instead of manually changing its group instead of manually changing its group

41 Numeric File Permissions

42 Kernel vs User Space Kernel space Kernel space refers to memory used by the Linux kernel and its loadable modules (e.g., device drivers) refers to memory used by the Linux kernel and its loadable modules (e.g., device drivers) User space User space refers to memory used by all other processes refers to memory used by all other processes since kernel enforces Linux DAC and security critical to isolate kernel from user since kernel enforces Linux DAC and security critical to isolate kernel from user so kernel space never swapped to disk so kernel space never swapped to disk only root may load and unload kernel modules only root may load and unload kernel modules

43 setuid root Vulnerabilities a setuid root program runs as root a setuid root program runs as root no matter who executes it no matter who executes it used to provide unprivileged users with access to privileged resources used to provide unprivileged users with access to privileged resources must be very carefully programmed must be very carefully programmed if can be exploited due to a software bug if can be exploited due to a software bug may allow otherwise-unprivileged users to use it to wield unauthorized root privileges may allow otherwise-unprivileged users to use it to wield unauthorized root privileges distributions now minimise setuid-root programs distributions now minimise setuid-root programs system attackers still scan for them! system attackers still scan for them!

44 Web Vulnerabilities a very broad category of vulnerabilities a very broad category of vulnerabilities because of ubiquity of world wide web have big and visible attack surfaces because of ubiquity of world wide web have big and visible attack surfaces when written in scripting languages when written in scripting languages not as prone to classic buffer overflows not as prone to classic buffer overflows can suffer from poor input-handling can suffer from poor input-handling few “enabled-by-default” web applications few “enabled-by-default” web applications but users install vulnerable web applications but users install vulnerable web applications or write custom web applications having easily- identified and easily-exploited flaws or write custom web applications having easily- identified and easily-exploited flaws

45 Rootkits allow attacker to cover their tracks allow attacker to cover their tracks if successfully installed before detection, all is very nearly lost if successfully installed before detection, all is very nearly lost originally collections of hacked commands originally collections of hacked commands hiding attacker’s files, directories, processes hiding attacker’s files, directories, processes now use loadable kernel modules now use loadable kernel modules intercepting system calls in kernel-space intercepting system calls in kernel-space hiding attacker from standard commands hiding attacker from standard commands may be able to detect with chkrootkit may be able to detect with chkrootkit generally have to wipe and rebuild system generally have to wipe and rebuild system

46 Linux Hardening - OS Installation security begins with O/S installation security begins with O/S installation especially what software is run especially what software is run since unused applications liable to be left in default, un- hardened and un-patched state since unused applications liable to be left in default, un- hardened and un-patched state generally should not run: generally should not run: X Window system, RPC services, R-services, inetd, SMTP daemons, telnet etc X Window system, RPC services, R-services, inetd, SMTP daemons, telnet etc also have some initial system s/w configuration: also have some initial system s/w configuration: setting root password setting root password creating a non-root user account creating a non-root user account setting an overall system security level setting an overall system security level enabling a simple host-based firewall policy enabling a simple host-based firewall policy enabling SELinux enabling SELinux

47 Patch Management installed server applications must be: installed server applications must be: configured securely configured securely kept up to date with security patches kept up to date with security patches patching can never win “patch rat-race” patching can never win “patch rat-race” have tools to automatically download and install security updates have tools to automatically download and install security updates e.g. up2date, YaST, apt-get e.g. up2date, YaST, apt-get note should not run automatic updates on change-controlled systems without testing note should not run automatic updates on change-controlled systems without testing

48 Network Access Controls network a key attack vector to secure network a key attack vector to secure TCP wrappers a key tool to check access TCP wrappers a key tool to check access originally tcpd inetd wrapper daemon originally tcpd inetd wrapper daemon before allowing connection to service checks before allowing connection to service checks if requesting host explicitly in hosts.allow is ok if requesting host explicitly in hosts.allow is ok if requesting host explicitly in hosts.deny is blocked if requesting host explicitly in hosts.deny is blocked if not in either is ok if not in either is ok checks on service, source IP, username checks on service, source IP, username now often part of app using libwrappers now often part of app using libwrappers

49 Network Access Controls also have the very powerful netfilter Linux kernel native firewall mechanism also have the very powerful netfilter Linux kernel native firewall mechanism and iptables user-space front end and iptables user-space front end as useful on firewalls, servers, desktops as useful on firewalls, servers, desktops direct config tricky, steep learning curve direct config tricky, steep learning curve do have automated rule generators do have automated rule generators typically for “personnal” firewall use will: typically for “personnal” firewall use will: allow incoming requests to specified services allow incoming requests to specified services block all other inbound service requests block all other inbound service requests allow all outbound (locally-originating) requests allow all outbound (locally-originating) requests if need greater security, manually config if need greater security, manually config

50 Antivirus Software historically Linux not as vulnerable to viruses historically Linux not as vulnerable to viruses more to lesser popularity than security more to lesser popularity than security prompt patching was effective for worms prompt patching was effective for worms but viruses abuse users privileges but viruses abuse users privileges non-root users have less scope to exploit non-root users have less scope to exploit but can still consume resources but can still consume resources growing Linux popularity mean exploits growing Linux popularity mean exploits hence antivirus software will more important hence antivirus software will more important various commercial and free Linux A/V various commercial and free Linux A/V

51 User Management guiding principles in user-account security: guiding principles in user-account security: need care setting file / directory permissions need care setting file / directory permissions use groups to differentiate between roles use groups to differentiate between roles use extreme care in granting / using root privs use extreme care in granting / using root privs commands: chmod, useradd/mod/del, groupadd/mod/del, passwd, chage commands: chmod, useradd/mod/del, groupadd/mod/del, passwd, chage info in files /etc/passwd & /etc/group info in files /etc/passwd & /etc/group manage user’s group memberships manage user’s group memberships set appropriate password ages set appropriate password ages

52 Root Delegation have "root can to anything, users do little” issue have "root can to anything, users do little” issue “su” command allows users to run as root “su” command allows users to run as root either root shell or single command either root shell or single command must supply root password must supply root password means likely too many people know this means likely too many people know this SELinux RBAC can limit root authority, complex SELinux RBAC can limit root authority, complex “sudo” allows users to run as root “sudo” allows users to run as root but only need their password, not root password but only need their password, not root password /etc/sudoers file specifies what commands allowed /etc/sudoers file specifies what commands allowed or configure user/group perms to allow, tricky or configure user/group perms to allow, tricky

53 Logging effective logging a key resource effective logging a key resource Linux logs using syslogd or Syslog-NG Linux logs using syslogd or Syslog-NG receive log data from a variety of sources receive log data from a variety of sources sorts by facility (category) and severity sorts by facility (category) and severity writes log messages to local/remote log files writes log messages to local/remote log files Syslog-NG preferable because it has: Syslog-NG preferable because it has: variety of log-data sources / destinations. much more flexible “rules engine” to configure variety of log-data sources / destinations. much more flexible “rules engine” to configure Log Management……… Log Management……… can log via TCP which can be encryptedbalance number of log files used can log via TCP which can be encryptedbalance number of log files used size of few to finding info in many size of few to finding info in many manage size of log files manage size of log files must rotate log files and delete old copies. typically use logrotate utility run by cron must rotate log files and delete old copies. typically use logrotate utility run by cron to manage both system and application logs to manage both system and application logs must also configure application logging must also configure application logging

54 Running As Unprivileged User/Group every process “runs as” some user every process “runs as” some user extremely important this user is not root extremely important this user is not root since any bug can compromise entire system since any bug can compromise entire system may need root privileges, e.g. bind port may need root privileges, e.g. bind port have root parent perform privileged function have root parent perform privileged function but main service from unprivileged child but main service from unprivileged child user/group used should be dedicated user/group used should be dedicated easier to identify source of log messages easier to identify source of log messages

55 Running in chroot Jail chroot confines a process to a subset of / chroot confines a process to a subset of / maps a virtual “/” to some other directory maps a virtual “/” to some other directory useful if have a daemon that should only access a portion of the file system, e.g. FTP useful if have a daemon that should only access a portion of the file system, e.g. FTP directories outside the chroot jail aren’t visible or reachable at all directories outside the chroot jail aren’t visible or reachable at all contains effects of compromised daemon contains effects of compromised daemon complex to configure and troubleshoot complex to configure and troubleshoot must mirror portions of system in chroot jail must mirror portions of system in chroot jail

56 Modularity applications running as a single, large, multipurpose process can be: applications running as a single, large, multipurpose process can be: more difficult to run as an unprivileged user more difficult to run as an unprivileged user harder to locate / fix security bugs in source harder to locate / fix security bugs in source harder to disable unnecessary functionality harder to disable unnecessary functionality hence modularity a highly prized feature hence modularity a highly prized feature providing a much smaller attack surface providing a much smaller attack surface cf. postfix vs sendmail, Apache modules cf. postfix vs sendmail, Apache modules

57 Encryption sending logins & passwords or application data over networks in clear text exposes them to network eavesdropping attacks sending logins & passwords or application data over networks in clear text exposes them to network eavesdropping attacks hence many network applications now support encryption to protect such data hence many network applications now support encryption to protect such data often using OpenSSL library often using OpenSSL library may need own X.509 certificates to use may need own X.509 certificates to use can generate/sign using openssl command can generate/sign using openssl command may use commercial/own/free CA may use commercial/own/free CA

58 Logging applications can usually be configured to log to any level of detail (debug to none) applications can usually be configured to log to any level of detail (debug to none) need appropriate setting need appropriate setting must decide if use dedicated file or system logging facility (e.g. syslog) must decide if use dedicated file or system logging facility (e.g. syslog) central facility useful for consistent use central facility useful for consistent use must ensure any log files are rotated must ensure any log files are rotated

59 Mandatory Access Controls Linux uses a DAC security model Linux uses a DAC security model but Mandatory Access Controls (MAC) impose a global security policy on all users but Mandatory Access Controls (MAC) impose a global security policy on all users users may not set controls weaker than policy users may not set controls weaker than policy normal admin done with accounts without authority to change the global security policy normal admin done with accounts without authority to change the global security policy but MAC systems have been hard to manage but MAC systems have been hard to manage Novell’s SuSE Linux has AppArmor Novell’s SuSE Linux has AppArmor RedHat Enterprise Linux has SELinux RedHat Enterprise Linux has SELinux pure SELinux for high-sensitivity, high-security pure SELinux for high-sensitivity, high-security

60 Windows Security Windows is the world’s most popular O/S Windows is the world’s most popular O/S advantage is that security enhancements can protect millions of nontechnical users advantage is that security enhancements can protect millions of nontechnical users challenge is that vulnerabilities in Windows can also affect millions of users challenge is that vulnerabilities in Windows can also affect millions of users will review overall security architecture of Windows will review overall security architecture of Windows then security defenses built into Windows then security defenses built into Windows

61 Windows Security Architecture Security Reference Monitor (SRM) Security Reference Monitor (SRM) a kernel-mode component that performs access checks, generates audit log entries, and manipulates user rights (privileges) a kernel-mode component that performs access checks, generates audit log entries, and manipulates user rights (privileges) Local Security Authority (LSA) Local Security Authority (LSA) responsible for enforcing local security policy responsible for enforcing local security policy Security Account Manager (SAM) Security Account Manager (SAM) a database that stores user accounts and local users and groups security information a database that stores user accounts and local users and groups security information local logins perform lookup against SAM DB local logins perform lookup against SAM DB passwords are stored using MD4 passwords are stored using MD4

62 Windows Security Architecture Active Directory (AD) Active Directory (AD) Microsoft’s LDAP directory Microsoft’s LDAP directory all Windows clients can use AD to perform security operations including account logon all Windows clients can use AD to perform security operations including account logon authenticate using AD when the user logs on using a domain rather than local account authenticate using AD when the user logs on using a domain rather than local account user’s credential information is sent securely across the network to be verified by AD user’s credential information is sent securely across the network to be verified by AD WinLogon (local) and NetLogon (net) handle login requests WinLogon (local) and NetLogon (net) handle login requests

63 Local vs Domain Accounts a networked Windows computer can be: a networked Windows computer can be: domain joined domain joined can login with either domain or local accounts can login with either domain or local accounts if local may not access domain resources if local may not access domain resources centrally managed and much more secure centrally managed and much more secure in a workgroup in a workgroup a collection of computers connected together a collection of computers connected together only local accounts in SAM can be used only local accounts in SAM can be used no infrastructure to support AD domain no infrastructure to support AD domain

64 Domain Login Example domain admin adds user’s account info (name, account, password, groups, privileges) domain admin adds user’s account info (name, account, password, groups, privileges) account is represented by a Security ID (SID) account is represented by a Security ID (SID) unique to each account within a domain unique to each account within a domain of form: S-1–5–21-AAA-BBB-CCC-RRR of form: S-1–5–21-AAA-BBB-CCC-RRR Breakdown: S means SID; 1 is version number; 5 is identifier authority (here is SECURITY_NT_AUTHORITY); 21 means “not unique”, although always unique within a domain; AAA-BBB- CCC is unique number representing domain; and RRR is a relative id (increments by 1 for each new account) Breakdown: S means SID; 1 is version number; 5 is identifier authority (here is SECURITY_NT_AUTHORITY); 21 means “not unique”, although always unique within a domain; AAA-BBB- CCC is unique number representing domain; and RRR is a relative id (increments by 1 for each new account)

65 Domain Login Example (cont.) username in one of two forms: username in one of two forms: SAM format: DOMAIN\Username SAM format: DOMAIN\Username User Principal Name (UPN): User Principal Name (UPN): login using username & password or smartcard login using username & password or smartcard assuming login is correct, token is generated and assigned to the user assuming login is correct, token is generated and assigned to the user contains user’s SID, group membership info, and privileges contains user’s SID, group membership info, and privileges assigned to every process run by user, and used for access checks assigned to every process run by user, and used for access checks

66 Windows Privileges are systemwide permissions assigned to user accounts – over 45 total are systemwide permissions assigned to user accounts – over 45 total e.g. backup computer, or change system time e.g. backup computer, or change system time some are deemed “dangerous” such as: some are deemed “dangerous” such as: act as part of operating system privilege act as part of operating system privilege debug programs privilege debug programs privilege backup files and directories privilege backup files and directories privilege others are deemed “benign” such as others are deemed “benign” such as bypass traverse checking privilege bypass traverse checking privilege

67 Access Control Lists two forms of access control list (ACL): two forms of access control list (ACL): Discretionary ACL (DACL) Discretionary ACL (DACL) grants or denies access to protected resources such as files, shared memory, named pipes etc grants or denies access to protected resources such as files, shared memory, named pipes etc System ACL (ACL) System ACL (ACL) used for auditing and in Windows Vista to enforce mandatory integrity policy used for auditing and in Windows Vista to enforce mandatory integrity policy objects needing protection are assigned a DACL (and possible SACL) that includes objects needing protection are assigned a DACL (and possible SACL) that includes SID of the object owner. list of access control entries (ACEs) SID of the object owner. list of access control entries (ACEs) each ACE includes a SID & access mask each ACE includes a SID & access mask access mask could include ability to: access mask could include ability to: read, write, create, delete, modify, etc read, write, create, delete, modify, etc access masks are object-type specific access masks are object-type specific e.g. service abilities are create, enumerate e.g. service abilities are create, enumerate

68 Security Descriptor (SD) data structure with object owner, DACL, & SACL data structure with object owner, DACL, & SACL e.g. e.g. Owner: CORP\Blake ACE[0]: Allow CORP\Paige Full Control ACE[1]: Allow Administrators Full Control ACE[2]: Allow CORP\Cheryl Read, Write and Delete have no implied access, if there is no ACE for requesting user, then access is denied have no implied access, if there is no ACE for requesting user, then access is denied applications must request correct type of access applications must request correct type of access if just request “all access” when need less (e.g. read) some user’s who should have access will be denied if just request “all access” when need less (e.g. read) some user’s who should have access will be denied

69 More SD’s & Access Checks each ACE in the DACL determines access each ACE in the DACL determines access an ACE can be an allow or a deny ACE an ACE can be an allow or a deny ACE Windows evaluates each ACE in the ACL until access is granted or explicitly denied Windows evaluates each ACE in the ACL until access is granted or explicitly denied so deny ACEs come before allow ACEs so deny ACEs come before allow ACEs default if set using GUI default if set using GUI explicitly order if create programmatically explicitly order if create programmatically when user attempts to access a protected object, the O/S performs an access check when user attempts to access a protected object, the O/S performs an access check comparing user/group info with ACE’s in ACL comparing user/group info with ACE’s in ACL

70 Application access Note that when an application requests access, it must also request an access level. Note that when an application requests access, it must also request an access level. Initially (before XP), most applications just requested “all access”, which is only given to owner or admin accounts. Initially (before XP), most applications just requested “all access”, which is only given to owner or admin accounts. This is the reason so many applications failed on Windows XP unless they ran at admin level – essentially, poor coding. This is the reason so many applications failed on Windows XP unless they ran at admin level – essentially, poor coding.

71 Interacting with SDs Powershell to get an object’s SD: Powershell to get an object’s SD: get-acl c:\folder\file.txt | format-list get-acl c:\folder\file.txt | format-list use set-acl to set DACL or SACL use set-acl to set DACL or SACL Can also use Security Descriptor Definition Language (SDDL): Can also use Security Descriptor Definition Language (SDDL): Example function: ConvertStringSecurityDescriptorToSecurityDescriptor() Example function: ConvertStringSecurityDescriptorToSecurityDescriptor()

72 Impersonation process can have multiple threads process can have multiple threads common for both clients and servers common for both clients and servers impersonation allows a server to serve a user, using their access privileges impersonation allows a server to serve a user, using their access privileges e.g. ImpersonateNamedPipeClient function sets user’s token on the current thread e.g. ImpersonateNamedPipeClient function sets user’s token on the current thread then access checks for that thread are performed against this token not server’s then access checks for that thread are performed against this token not server’s with user’s access rights with user’s access rights

73 Mandatory Access Control have Integrity Control in Windows Vista (and later) that limits operations changing an object’s state have Integrity Control in Windows Vista (and later) that limits operations changing an object’s state objects and principals are labeled (using SID): objects and principals are labeled (using SID): Low integrity (S ) Low integrity (S ) Medium integrity (S ) Medium integrity (S ) High integrity (S ) High integrity (S ) System integrity (S ) System integrity (S ) when write operation occurs first check subject’s integrity level dominates object’s integrity level when write operation occurs first check subject’s integrity level dominates object’s integrity level much of O/S marked medium or higher integrity much of O/S marked medium or higher integrity

74 Vista User Account

75 Windows Vulnerabilities Windows, like all O/S’s, has security bugs Windows, like all O/S’s, has security bugs and bugs have been exploited by attackers to compromise customer operating systems and bugs have been exploited by attackers to compromise customer operating systems Microsoft now uses process improvement called the Security Development Lifecycle Microsoft now uses process improvement called the Security Development Lifecycle net effect approx 50% reduction in bugs net effect approx 50% reduction in bugs Windows Vista used SDL start to finish Windows Vista used SDL start to finish IIS v6 (in Windows Server 2003) had only 3 vulnerabilities in 4 years, none critical IIS v6 (in Windows Server 2003) had only 3 vulnerabilities in 4 years, none critical

76 Security Development Lifecycle (SDL) Requirements: Requirements: Mandatory security education Mandatory security education Security design requirements Security design requirements Threat modeling Threat modeling Attack surface analysis and reduction Attack surface analysis and reduction Secure coding Secure coding Secure testing Secure testing Security push Security push Final security review Final security review Security response Security response

77 Patch Management At first, patches were released at all times. Now, they release on the second Tuesday of each month (Patch Tuesday). At first, patches were released at all times. Now, they release on the second Tuesday of each month (Patch Tuesday). More recently, they even announce the expected load the Thursday before, which has been popular with sys admins. More recently, they even announce the expected load the Thursday before, which has been popular with sys admins.

78 Windows System Hardening process of shoring up defenses, reducing exposed functionality, disabling features process of shoring up defenses, reducing exposed functionality, disabling features known as attack surface reduction known as attack surface reduction use 80/20 rule on features use 80/20 rule on features not always achievable not always achievable e.g. requiring RPC authentication in XP SP2 e.g. requiring RPC authentication in XP SP2 e.g. strip mobile code support on servers e.g. strip mobile code support on servers servers easier to harden: servers easier to harden: 1. are used for very specific and controlled purposes 2. server users are administrators with (theoretically) better computer configuration skills than typical users

79 Windows Security Defenses  Have 4 broad categories of security defenses: account defenses account defenses network defenses network defenses buffer overrun defenses. buffer overrun defenses. browser defenses browser defenses

80 Account Defenses user accounts can have privileged SIDs user accounts can have privileged SIDs least privilege dictates that users operate with just enough privilege for tasks least privilege dictates that users operate with just enough privilege for tasks Windows XP users in local Administrators Windows XP users in local Administrators for application compatibility reasons for application compatibility reasons can use “Secondary Logon” to run applications can use “Secondary Logon” to run applications also restricted tokens reduce per-thread privilege also restricted tokens reduce per-thread privilege Windows Vista onwards reverses default with UAC Windows Vista onwards reverses default with UAC users prompted to perform a privileged operation users prompted to perform a privileged operation unless admin on Server unless admin on Server

81 Low Privilege Service Accounts Windows services are long-lived processes started after booting Windows services are long-lived processes started after booting many ran with elevated privileges many ran with elevated privileges but many do not need elevated requirements but many do not need elevated requirements Windows XP added Local Service and Network service accounts Windows XP added Local Service and Network service accounts allow a service local or network access allow a service local or network access otherwise operate at much lower privilege level otherwise operate at much lower privilege level Windows XP SP2 split RPC service (RPCSS) in two (RPCSS and DCOM Server Process) Windows XP SP2 split RPC service (RPCSS) in two (RPCSS and DCOM Server Process) example of least privilege in action, see also IIS6 example of least privilege in action, see also IIS6 direct result of Blastr worm direct result of Blastr worm

82 Stripping Privileges another defense is to strip privileges from an account soon after an application starts another defense is to strip privileges from an account soon after an application starts e.g. Index server process runs as system to access all disk volumes e.g. Index server process runs as system to access all disk volumes but then sheds any unneeded privileges as soon as possible but then sheds any unneeded privileges as soon as possible using AdjustTokenPrivileges using AdjustTokenPrivileges Windows Vista can define privileges required by a service Windows Vista can define privileges required by a service using ChangeServiceConfig2 using ChangeServiceConfig2

83 Network Defenses have IPSec and IPv6 with authenticated network packets enabled by default in Windows Vista have IPSec and IPv6 with authenticated network packets enabled by default in Windows Vista IPv4 also enabled by default, expect less use IPv4 also enabled by default, expect less use E.g. Windows Xbox live network ipsec E.g. Windows Xbox live network ipsec have built-in software firewall have built-in software firewall block inbound connections on specific ports block inbound connections on specific ports Vista can allow local net access only Vista can allow local net access only optionally block outbound connections optionally block outbound connections default was off (XP) but now default on default was off (XP) but now default on

84 Buffer Overrun Defenses many compromises exploit buffer overruns many compromises exploit buffer overruns Windows Vista has “Stack-Based Buffer Overrun Detection (/GS)” default enabled Windows Vista has “Stack-Based Buffer Overrun Detection (/GS)” default enabled source code compiled with special /GS option source code compiled with special /GS option does not affect every function; only those with at least 4- bytes of contiguous stack data and that takes a pointer or buffer as an argument does not affect every function; only those with at least 4- bytes of contiguous stack data and that takes a pointer or buffer as an argument defends against “classic stack smash” defends against “classic stack smash”

85 Windows Stack and /GS flag

86 Buffer Overrun Defenses No eXecuteNamed (NX) / Data Execution Prevention (DEP) / eXecution Disable (XD) No eXecuteNamed (NX) / Data Execution Prevention (DEP) / eXecution Disable (XD) prevent code executing in data segments prevent code executing in data segments as commonly used by buffer overrun exploits as commonly used by buffer overrun exploits applications linked with /NXCOMPAT option applications linked with /NXCOMPAT option Stack Randomization (Vista only) Stack Randomization (Vista only) randomizes thread stack base addresses randomizes thread stack base addresses Heap-based buffer overrun defenses: Heap-based buffer overrun defenses: add and check random value on each heap block add and check random value on each heap block heap integrity checking heap integrity checking heap randomization (Vista only) heap randomization (Vista only)

87 Other Defenses  Image Randomization O/S boots in one of 256 configurations O/S boots in one of 256 configurations makes O/S less predictable for attackers makes O/S less predictable for attackers  Service Restart Policy services can be configured to restart if fail services can be configured to restart if fail great for reliability but lousy for security great for reliability but lousy for security Vista sets some critical services so can only restart twice, then manual restart needed Vista sets some critical services so can only restart twice, then manual restart needed gives attacker only two attempts gives attacker only two attempts Encrypted File System…..EFS, Bitlocker Encrypted File System…..EFS, Bitlocker

88 Browser Defenses web browser is a key point of attack web browser is a key point of attack via script code, graphics, helper objects via script code, graphics, helper objects Microsoft added many defenses to IE7 onwards Microsoft added many defenses to IE7 onwards ActiveX opt-in ActiveX opt-in unloads ActiveX controls by default unloads ActiveX controls by default when any then first run prompts user to confirm when any then first run prompts user to confirm protected mode protected mode IE runs at low integrity level (see earlier) IE runs at low integrity level (see earlier) so more difficult for malware to manipulate O/S so more difficult for malware to manipulate O/S

89 The End


Download ppt "Chapter 12 Operating System Security. Operating System  each layer of code needs measures in place to provide appropriate security services  each layer."

Similar presentations


Ads by Google