Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8 Page 1 CS 236, Spring 2008 Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Published byEarl Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 8 Page 1 CS 236, Spring 2008 Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008."— Presentation transcript:

1 Lecture 8 Page 1 CS 236, Spring 2008 Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008

2 Lecture 8 Page 2 CS 236, Spring 2008 Outline Introduction Memory protection Buffer overflows Interprocess communications protection File protection and disk encryption

3 Lecture 8 Page 3 CS 236, Spring 2008 Introduction Operating systems provide the lowest layer of software visible to users Operating systems are close to the hardware –Often have complete hardware access If the operating system isn’t protected, the machine isn’t protected Flaws in the OS generally compromise all security at higher levels

4 Lecture 8 Page 4 CS 236, Spring 2008 Why Is OS Security So Important? The OS controls access to application memory The OS controls scheduling of the processor The OS ensures that users receive the resources they ask for If the OS isn’t doing these things securely, practically anything can go wrong So almost all other security systems must assume a secure OS at the bottom

5 Lecture 8 Page 5 CS 236, Spring 2008 Single User Vs. Multiple User Machines The majority of today’s computers usually support a single user Some computers are still multi-user –Often specialized servers Single user machines often run multiple processes, though –Often through downloaded code Increasing numbers of embedded machines –Effectively no (human) user

6 Lecture 8 Page 6 CS 236, Spring 2008 Booting Issues The OS usually isn’t present in memory when the system powers up –And isn’t initialized Something has to get that done That’s the bootstrap program Security is a concern here

7 Lecture 8 Page 7 CS 236, Spring 2008 The Bootstrap Process Bootstrap program is usually very short Located in easily defined place Hardware finds it, loads it, runs it Bootstrap then takes care of initializing the OS

8 Lecture 8 Page 8 CS 236, Spring 2008 Security and Bootstrapping Most machine security relies on OS being trustworthy That implies you run the OS you think you run The bootstrap loader determines which OS to run If it’s corrupted, you’re screwed

9 Lecture 8 Page 9 CS 236, Spring 2008 Practicalities of Bootstrap Security Most systems make it hard to change bootstrap loader –But must have enough flexibility to load different OSes –From different places on machine Malware likes to corrupt bootstrap Trusted computing platforms can help secure bootstrapping

10 Lecture 8 Page 10 CS 236, Spring 2008 Mechanisms for Secure Operating Systems Most operating system security is based on separation –Keep the bad guys away from the good stuff –Since you don’t know who’s bad, separate most things

11 Lecture 8 Page 11 CS 236, Spring 2008 Separation Methods Physical separation –Different machines Temporal separation –Same machine, different times Logical separation –HW/software enforcement –Possibly VM technology Cryptographic separation

12 Lecture 8 Page 12 CS 236, Spring 2008 The Problem of Sharing Separating stuff is actually pretty easy The hard problem is allowing controlled sharing How can the OS allow users to share exactly what they intend to share? –In exactly the ways they intend

13 Lecture 8 Page 13 CS 236, Spring 2008 Levels of Sharing Protection None Isolation All or nothing Access limitations Limited use of an object

14 Lecture 8 Page 14 CS 236, Spring 2008 What Is Shared? CPU –Relatively easy to protect I/O –Somewhat trickier –Especially storage devices Memory –Hard, the cause of many problems

15 Lecture 8 Page 15 CS 236, Spring 2008 Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows

16 Lecture 8 Page 16 CS 236, Spring 2008 What Is In Memory? Executable code –Integrity required to ensure secure operations Copies of permanently stored data –Secrecy and integrity issues Temporary process data –Mostly integrity issues

17 Lecture 8 Page 17 CS 236, Spring 2008 Mechanisms for Memory Protection Most general purpose systems provide some memory protection –Logical separation of processes that run concurrently Usually through virtual memory methods Originally arose mostly for error containment, not security

18 Lecture 8 Page 18 CS 236, Spring 2008 Paging and Security Main memory is divided into page frames Every process has an address space divided into logical pages For a process to use a page, it must reside in a page frame If multiple processes are running, how do we protect their frames?

19 Lecture 8 Page 19 CS 236, Spring 2008 Protection of Pages Each process is given a page table –Translation of logical addresses into physical locations All addressing goes through page table –At unavoidable hardware level If the OS is careful about filling in the page tables, a process can’t even name other processes’ pages

20 Lecture 8 Page 20 CS 236, Spring 2008 Page Tables and Physical Pages Process A Process B Process Page TablesPhysical Page Frames

21 Lecture 8 Page 21 CS 236, Spring 2008 Security Issues of Page Frame Reuse A common set of page frames is shared by all processes The OS switches ownership of page frames as necessary When a process acquires a new page frame, it used to belong to another process –Can the new process read the old data?

22 Lecture 8 Page 22 CS 236, Spring 2008 Reusing Pages Process A Process B Process Page TablesPhysical Page Frames What happens now if Process A requests a page? Can Process A now read Process B’s deallocated data? Process B deallocates a page

23 Lecture 8 Page 23 CS 236, Spring 2008 Strategies for Cleaning Pages Don’t bother Zero on deallocation Zero on reallocation Zero on use Clean pages in the background

24 Lecture 8 Page 24 CS 236, Spring 2008 Special Interfaces to Memory Some systems provide a special interface to memory If the interface accesses physical memory, –And doesn’t go through page table protections, –Attackers can read the physical memory –Then figure out what’s there and find what they’re looking for

25 Lecture 8 Page 25 CS 236, Spring 2008 Buffer Overflows One of the most common causes for compromises of operating systems Due to a flaw in how operating systems handle process inputs –Or a flaw in programming languages –Or a flaw in programmer training –Depending on how you look at it

26 Lecture 8 Page 26 CS 236, Spring 2008 What Is a Buffer Overflow? A program requests input from a user It allocates a temporary buffer to hold the input data It then reads all the data the user provides into the buffer, but... It doesn’t check how much data was provided

27 Lecture 8 Page 27 CS 236, Spring 2008 For Example, int main(){ char name[32]; printf(“Please type your name: “); gets(name); printf(“Hello, %s”, name); return (0); } What if the user enters more than 32 characters?

28 Lecture 8 Page 28 CS 236, Spring 2008 Well, What If the User Does? The code continues reading data into memory –That’s how gets() works The first 32 bytes go into name Where do the remaining bytes go? Onto the stack

29 Lecture 8 Page 29 CS 236, Spring 2008 Munging the Stack The temporary variable name is allocated on the stack –Close to the record of the function currently being run The overflow will spill into whatever’s next on the stack If it overflows enough, it will overwrite the instruction pointer When the function exits, it will go to the overwritten pointer, not where it came from

30 Lecture 8 Page 30 CS 236, Spring 2008 Why Is This a Security Problem? All attacker can do is run different code than was expected He hasn’t gotten into anyone else’s processes –Or data So he can only fiddle around with his own stuff, right?

31 Lecture 8 Page 31 CS 236, Spring 2008 Is That So Bad? Well, yes That’s why a media player can write configuration and data files Unless roles and access permissions set up very carefully, a typical program can write all its user’s files

32 Lecture 8 Page 32 CS 236, Spring 2008 The Core Buffer Overflow Security Issue Programs are often run on behalf of others –But using your identity Maybe it’s OK for you to access some data But is it OK for someone who you’re running a program for?

33 Lecture 8 Page 33 CS 236, Spring 2008 But I Never Run Programs for Anyone Else Oh, yes, you do Every time you download any form of executable Every time you download a file containing an executable Every time you allow someone to remotely access data on your system –E.g., via a web server In all cases, you’re doing something for someone else

34 Lecture 8 Page 34 CS 236, Spring 2008 Using Buffer Overflows to Compromise Security Carefully choose what gets written into the instruction pointer So that the program jumps to something you want to do –Under the identity of the program that’s running Such as, execute a command shell

35 Lecture 8 Page 35 CS 236, Spring 2008 Effects of Buffer Overflows A remote or unprivileged local user runs a program with greater privileges If buffer overflow is in a root program, it gets all privileges, essentially Can also overwrite other stuff –Such as heap variables Common mechanism to allow attackers to break into machines

36 Lecture 8 Page 36 CS 236, Spring 2008 Stack Overflows The most common kind of buffer overflow Intended to alter the contents of the stack Usually by overflowing a dynamic variable Usually with intention of jumping to exploit code –Though could be to alter parameters or variables in other frames –Or even variables in current frame

37 Lecture 8 Page 37 CS 236, Spring 2008 Heap Overflows Heap is used to store dynamically allocated memory Buffers kept there can also overflow Generally doesn’t offer direct ability to jump to arbitrary code But potentially quite dangerous

38 Lecture 8 Page 38 CS 236, Spring 2008 What Can You Do With Heap Overflows? Alter variable values “Edit” linked lists or other data structures If heap contains list of function pointers, can execute arbitrary code Generally, heap overflows are harder to exploit than stack overflows But they exist –E.g., Microsoft CVE-2007-0948 Allowed VM to escape confinement

39 Lecture 8 Page 39 CS 236, Spring 2008 Are Buffer Overflows Common? You bet! Weekly occurrences in major systems/applications –Mostly stack overflows Probably one of the most common security bugs

40 Lecture 8 Page 40 CS 236, Spring 2008 Some Recent Buffer Overflows Cisco Security Agent for Windows –They should have known better HP OpenView Network Node Manager –They should have, too IBM Lotus Notes –Them, too 3ivx MPEG-4 Codec And more than 15 others in December 2007 alone –In code written by everyone from Microsoft to tiny software shops

41 Lecture 8 Page 41 CS 236, Spring 2008 Fixing Buffer Overflows Check the length of the input Use programming languages that prevent them Add OS controls that prevent overwriting the stack Put things in different places on the stack, making it hard to find the return pointer Don’t allow execution from places in memory where buffer overflows occur (E.g., Windows DEP) Why aren’t these things commonly done? –Sometimes they are Presumably because programmers and designers neither know nor care about security

Download ppt "Lecture 8 Page 1 CS 236, Spring 2008 Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008."

Similar presentations

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Common System Components

Common System Components
OS Spring’04 Introduction Operating Systems Spring 2004.

OS Spring’04 Introduction Operating Systems Spring 2004.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Lecture 8 Page 1 CS 136, Fall 2014 Operating System Security Computer Security Peter Reiher October 30, 2014.

Lecture 8 Page 1 CS 136, Fall 2014 Operating System Security Computer Security Peter Reiher October 30, 2014.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.

Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
CS 346 – Chapter 1 Operating system – definition Responsibilities What we find in computer systems Review of –Instruction execution –Compile – link – load.

CS 346 – Chapter 1 Operating system – definition Responsibilities What we find in computer systems Review of –Instruction execution –Compile – link – load.
Invitation to Computer Science 5 th Edition Chapter 6 An Introduction to System Software and Virtual Machine s.

Invitation to Computer Science 5 th Edition Chapter 6 An Introduction to System Software and Virtual Machine s.
CE01000-3 Operating Systems Lecture 3 Overview of OS functions and structure.

CE Operating Systems Lecture 3 Overview of OS functions and structure.
Lecture 11 Page 1 CS 111 Online Memory Management: Paging and Virtual Memory CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 11 Page 1 CS 111 Online Memory Management: Paging and Virtual Memory CS 111 On-Line MS Program Operating Systems Peter Reiher.

Similar presentations

Ads by Google