CSCD 303 Essential Computer Security Spring 2013 Lecture 6 - Desktop Security
Overview Learning Objectives – Understand the functions of an Operating System including its security functions – Learn about the different levels of privilege – Learn about Windows Access Control
OS Design Decisions The kernel is the heart of the OS and manages most of the functionality of the OS including access to device hardware Have been competing designs for the kernel – Monolithic vs Micro Kernel vs Hybrid Kernel Designs – These design decisions affect ultimate security of OS Nice resource for Operating System Concepts VS
OS Design Decisions Monolithic Design – Integrate a great deal of functionality into OS core – Services are interdependent – Core system is larger – Every flaw in system is exposed through services that depend on that system
Monolithic Kernel Monolithic kernel where all services File system, device drivers as well as core functionality scheduling, memory allocation are a tight knit group sharing same space Do not confuse term modular kernel to be anything but monolithic Some monolithic kernels can be compiled to be modular What matters is that module is inserted to and run from same space that handles core functionality Examples of Monolithic Kernel?
Monolithic Kernel Diagram Kernel Space
Monolithic Kernel Pros and Cons Pros * More direct access to hardware for programs * Easier for processes to communicate between each other * If your device is supported, it should work with no additional installations * Processes react faster because there isn’t a queue for processor time Cons * Large install footprint * Large memory footprint * Less secure because everything runs in supervisor or privileged mode
Micro Kernel A micro kernel Core functionality is isolated from system services and device drivers For instance, VFS (virtual file system) and block device file systems are separate processes that run outside kernel's space, – Using IPC to communicate with kernel, other services and user processes – IPC means Interprocess Communication Example of Micro kernel? Minix
Micro Kernel Architecture Kernel Mode
Micro Kernel Pros and Cons Pros Portability Small memory footprint Security Better - not as much runs in supervisor or privileged mode Cons Hardware is more abstracted through drivers Hardware may react slower because drivers are in user mode Processes have to wait in a queue to get information Processes can’t get access to other processes without waiting
Hybrid Kernel Hybrid kernel is architecture based on combining aspects of microkernel and monolithic kernel architectures used in computer operating systems A hybrid kernel runs some services in kernel space to reduce performance overhead of traditional microkernel, while still running kernel code as servers in user space For instance, a hybrid kernel design may keep Virtual File System and bus controllers inside kernel and file system drivers and storage drivers as user mode programs outside the kernel – Such a design keeps the performance and design principles of a monolithic kernel. Whats an example of a Hybrid kernel?
Hybrid Kernel Architecture
Hybrid Kernel Pros and Cons Pros * Developer can pick and choose what runs in user mode and what runs in supervisor mode * Smaller install footprint than monolithic kernel * More flexible than other models Cons * Can suffer from same process lag as microkernel * Device drivers need to be managed by user (typically)
Operating Systems (OS) Functions What do OS's do? – The operating system's tasks, in the most general sense, fall into six categories: – Processor management – Memory management – Device management – Storage management – Application interface – User interface
Operating System Functions Picture from HowStuffWorks.com OS controls every task of your computer plus access to all the computer resources
OS Functions Processor Management – Allows multiple processes to share resources of processor fairly – Does this by scheduling processes to get execution time User Processes Microsoft Word, Foxfire or Skype System Processes: Print spooler, network connections, security accounts manager... plus many others Scheduler Tasks
Memory Storage and Management When an operating system manages computer's memory, there are two broad tasks to be accomplished: 1. Each process must have enough memory in which to execute, and respect memory boundaries of each other 2. Different types of memory must be used properly so that each process can run most effectively such as – Cache, RAM and Virtual Memory First task requires operating system to set up memory boundaries for types of software and for individual applications
Device Management Path between operating system and virtually all hardware not on computer's motherboard goes through special program called a Device Driver – Driver's function by translating between electrical signals – Hardware subsystems and high-level programming languages of operating system and application programs
Device Management Drivers are separate from operating system so that new functions can be added to the driver Thus to hardware subsystems – Without requiring operating system itself to be modified, recompiled and redistributed
Device Drivers Linux Windows Smart Card
Storage Management Manages and Organizes disk resources – Includes temporary devices too – CD and DVD drives, thumb drives, external drives Creates file systems for storing both OS types of files and user files Must somehow keep track of who can access these files – Access Control
Application Programming Interface (API) Drivers provide a way for applications to make use of subsystems without having to know every detail of internal operations – Application Program Interfaces (APIs) let application programmers use OS functions without having to directly keep track of all the details in CPU's operation – Hides details of processor and other resources from the program
Application Programming Interface (API) For Example – Microsoft Word or Open Office Word Processor – You click, “Save file” – If didn't have an API Word or Open Office would have to know all details of file system and ultimately call disk controller to create file on disk Instead, language program is written in, like C or Java has a function that is mapped to operating system API for creating file
User Interface User Interface (UI) brings structure to interaction between user and computer – In last decade, almost all development in user interfaces has been in area of graphical user interface (GUI), – Provides the “look and feel” of the computer MAC OS X
User Interface Windows Vista
Operating System Security Functions
OS Security functions Can ask … What are primary security functions of most (all) modern Operating Systems? Most OS implements two functions 1. User authentication 2. Access to resources 1. User authentication – 2 parts a. Positively identify the user – Compare to stored identity, user ID b. Authenticate the user – User must provide additional information – Password, biometric attribute, keycard
OS Security functions 2. Access to Authorized Resources – Decision based on access rules – Typical authorization based on user or group individual membership and – Labels attached to objects Example: Windows users with admin privilege – Allowed to both view and change user accounts
OS's Manage Privilege Level Two levels of privilege in modern CPU's This is offered by CPU itself, Intel, AMD 1. User mode – unprivileged 2. Kernel mode – more privileged OS runs in Kernel more privileged mode User programs run in User less privileged mode – User programs make calls to the OS To use the hardware resources Use the OS API to access hardware
User Powers Seems to be a need to have a user with greater powers – Root, superuser or administrator Yet, this comes with added risk – If user makes a mistake, can possibly damage the system – Or, if they get their identity stolen, attacker has full power to OS
User Powers Because of this risk problem from elevated power, concept of – “Least Privilege” Only want to operate with minimum of needed power to get job done – So, while I could always log in as Administrator, if I get my account hijacked or I get infected by malware while I am administrator Attackers then have full access to the machine's resources – Example: In Linux Ubuntu, have sudo command
Windows Security Features Windows has evolved from a minimal security model prior to Windows NT to something fairly robust in enterprise environments with Windows Vista, 7, Server 2003, Server 2008 and beyond Look at main features of Windows security common to all Windows versions
Access Control Gatekeeper to Windows Called Local Security Authority (LSA) Implemented in the service, lsass.exe What it Does 1. Validates access to objects 2. Checks user privilege 3. Creates audit messages
Access Control Allows subjects to access objects Subjects – Any entity that performs some action Subjects are not just people or users Subjects are actually processes in Windows Objects – securable objects Have associated Access Control Lists (ACL's) – Lists of permissible actions by subjects Securable Objects Files, directories, services, Registry Keys, Printers
35 Windows ACLs Sets of rights Basic: read, write, execute, delete, change permission, take ownership Generic: no access, read (read/execute), change (read/write/execute/delete), full control (all), special access (assign any basic rights) Directory: no access, read (read/execute files in directory), list, add, add and read, change (create, add, read, execute, write files; delete subdirectories), full control, special access
Access Control Components User Accounts Store an identifier and have associated privileges Allow access to objects and system resources Has associated Security Identifiers for internal use (SID) Windows has built-in accounts SYSTEM – powerful local machine account Administrator – All powerful, can be renamed but not deleted Groups Grouping user accounts with similar privileges Some built-in groups User Accounts in a group inherits the privileges of a group Examples of built-in groups Administrators, Back-up Operators, Guests and many others
Security Identifiers (SIDs) User account has SID that uniquely identifies it
Access Control User Rights Say … you log onto a Windows System How are you authenticated and what authorizes you to access computer resources? The Log-on process You enter your User ID and password Entered credentials passed to LSASS subsystem, lsass.exe Will go over details when we discuss passwords If credentials are valid, a Token is created and attached to logon session
The Token Whats in a token? Contains a list of Security ID's associated with a user account – You can have multiple SIDs because you belong to multiple groups So, when user tries to access a resource such as a file, token is used by the LSASS subsystem How is token used? Object, say a file will have an Access Control List (ACL) that specifies SID's permitted to access the object If one of SID's in users token matches SID in Object's ACL, user granted access
Windows Privilege Levels In XP and other pre-Vista versions – Had 2 choices of privilege – 1. Administrator or 2. Normal user Administrator – access to everything Normal user – many system level tasks you needed to do, you couldn't do – Consequently, most people ran as Administrator most of the time
Windows Privilege Levels Vista and Windows 7 – Have more choices – Can operate as a restricted normal user and still be able to do almost everything in OS – And when necessary, you can be elevated to an administrator for a short time to accomplish some task – Called UAC – User Account Control us/library/cc772207%28v=WS.10%29.aspx
User Account Control What does it do? UAC allows an administrator to enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, log off, or use the Run as command UAC also can also require administrators to specifically approve applications that will make "system-wide" changes before those applications are allowed to run, even in the administrator's user session
User Account Control Windows Vista and 7, how it works: Admin Approval Mode (AAM), by default, is not enabled for the Built-in Administrator Account in Windows Vista or 7 Built-in Administrator Account is disabled by default in Windows Vista, and first user account created is placed in local Administrators group, and AAM is enabled for that account
Benefits of UAC Admin Approval Mode helps prevent malicious programs from silently installing without an administrator's knowledge It also helps protect from inadvertent system-wide changes Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process
Tasks Only Administrators Can Perform Create, change, and delete user accounts and groups Install and uninstall programs Configure automatic updating or install Windows updates manually Install an ActiveX control Install or remove hardware device drivers Share folders Set permissions Access all files, including those in another user’s folder Take ownership of files Copy or move files into the %ProgramFiles% or %SystemRoot% folders Restore backed-up system files Grant rights to other user accounts and to themselves Configure Parental Controls Configure Windows Firewall
Tasks Available to Standard Users Change the password and picture for their own user account Use programs that have been installed on the computer Install approved ActiveX controls Configure a secure Wi-Fi connection View permissions Create, change, and delete files in their document folders and in shared document folders Restore their own backed-up files View the system clock and calendar, and change the time zone Configure power options Log on in Safe Mode
Summary Operating Systems by design Helps or hinders security Users and processes have access to resources on a given system According to their identities and group affiliations Want the concept of Least Privilege to be in effect Use the least privilege level to get the job done Helps with restricting access by potential bad guys
The End Next Time: More Desktop Next: Vista Lab, meet in CEB 342 according to the day you signed up