Operating System security

1
Operating System security

• Ge Zhang
• ge.zhang_at_kau.se
• Karlstad University

2
Outline

• Operating system
• Basic access control schemes
• Examples Unix/Linux

3
Operating systems
User Applications my sql, apache, calc, firefox,
etc
Operating system windows, linux, unix
Hardware memory, CPU, HD, etc

• Process management
• File access
• Memory management
• Security (authentication, authorization,)

4
Objects and Subjects

• Subject
• Active entity in a computer system
• User, process
• Object
• Passive entity or resource in a computer system
• Files, network devices, printers
• In defining access controls, you can either
  specify
• what a subject is allowed to do
• or
• what may be done with an object

5
Who can define the permissions

• Discretionary - the owner of the resource decides
  who is allowed to have access
• Mandatory - the system-wide policy decides who is
  allowed to have access

6
Permissions

• Permissions for files may include
• read
• write
• execute
• append
• delete
• change permission
• change ownership

7
Access Control Matrix

• Subjects Alice, BobObjects bill.doc, edit.exe,
  fun.batOperations read (r),,write (w),execute
  (e)
• Not suitable for direct implementation
• The matrix is likely to be extremely sparse and
  therefore implementation is inefficient
• Management of the matrix is likely to be
  extremely difficult if there are 10,000 of files
  and 100 of users (resulting in 1,000,000 of
  matrix entries)

8
Capabilities

• Access rights are kept with the subjects
• i.e.,
• Alices capability edit.exe execute fun.com
  execute, read
• Problem
• It is difficult to get an overview of who has
  permission to access a given object
• It is difficult to revoke a capability

9
Access Control Lists

• Access rights can be kept with the objects
  (Access Control Lists).
• i.e. ACL for fun.com Alice execute, read
  Bill execute, read, write
• A fitting concept for O.S.
• But problem?

10
Image such a ACL

• ACL for exam11.txt Alice read, write Bill
  read, write Charlie read, write Dan read,
  write Eva read, write Frank read, write .
  (another 200 students)

11
Intermediate Controls Groups

• Groups and Negative permissions
• ACL for exam11.txt Student_group read, write

12
Protection rings

• A simple intermediate layer of hardware based
  access control
• 2 bit field in status register (0-3)
• Defines 4 privilege levels (protection rings)
• Each subject (process) and each object is
  assigned a number
• It is mainly for integrity protection for
  operating system kernel

13

• Now we take Unix/Linux system as an example

14
Security schemes in Unix/Linux

• Account security
• User authentication
• File system security
• File access control
• Management issues
• Audit log
• Environment variables
• Manage the superuser

15
Account security (1)

• User Accounts (/etc/passwd)
• User name a string up to 8 characters
• User identities (UIDs) and group identities
  (GIDs) Superuser (Root, UID0)
• Unix does not distinguish between users with the
  same UID!!!!
• Home directory
• Shell

rootx00root/root/bin/bash binx11bin/bin
/bin/bash jimx500100Jim Smith/home/jim/bin/
bash
16
Account security (2)

• Shadow file (/etc/shadow) (only accessable to the
  users with root privilege)
• User name
• Password (algorithm, salt, hashed password)
• login is disabled
• Empty no password is required
• Last password change
• Minimum the number of days left before the user
  is allowed to change his/her password
• Maximum The maximum number of days the password
  is valid (after that user is forced to change
  his/her password)

root1v3cNGjbWWEvnoW8Cniswn3d145230999997
bin109330999997 jim109330999997
17
Account security (3)
salt
Password (plaintext)
One-way function
Password (encrypted)
root1v3cNGjbWWEvnoW8Cniswn3d145230999997
bin109330999997 jim109330999997
18
Account security (4)

• Groups
• Users belong to one or more groups
• To share files or other resource with a small
  number of users
• Ease of user management (give privilege)
• Group file (/etc/group)
• Group name
• Password
• Group ID (GID)
• Group list members

studentx24alice, bob, raj teacherx12raj,
nick
19
File system (1)

• The inode each file entry in a directory is a
  pointer to a data structure
• mode types of file and access rights
• uid the owners id
• gid the owners group id
• atime last access time
• mtime last modification time
• itime last inode alteration time
• block count size of file
• physical location

20
File system (2)

• The type of the file - for regular file, d
  for directory
• File permissions
• Link counter
• Name of the owner and the group

- rw-r--r-- 1 nick staff 1617 Oct 28 1101
test.txt drwx------ 2 nick staff 512 Oct 25
1755 tmp/
21
File system (3)

• Owner (r, w, x), group (r, w, x), other (r, w, x)
• Two ways to represent
• String rwxr--r--
• Octal number 744
• System default permissions 666 or 777
• (umask) a three-digit number specifying the
  rights that should be withheld
• System default permissions AND NOT umask
• For example umask 777 (denies all)

22
File system (4)

• Permission for directories
• Read find which files are in the directory
  (e.g., ls)
• Write add files, remove, or rename files in the
  directory
• Execute enter the directory and open files in
  the directory (even for your own files)

23
File system (5)

• a real pain if you try and install a permanent
  file in someones directory.
• Sticky bit restrict the right to delete a file.
• Only the file's owner, the directory's owner, or
  the root can rename or delete files.

drwxrwxrwx 4 root sys 485 Nov 10 0601 /tmp
drwxrwxrwt 4 root sys 485 Nov 10 0601 /tmp
24
File system (6)

• Unix requires higher privilege temporarily to
  execute some operations
• e.g., change password
• SUID (set userID), SGID (set groupID)
• A user who is executing this program will get the
  privilege of the owner temporarily

-rws--x--x 3 root root 16384 Nov 16 1996 passwd
25
Processes

• Each process has a process ID (PID)
• Two pairs of UID/GID for each process
• A real UID/GID
• An effective UID/GID
• The login process

process Real UID Effective UID Real GID Effective GID
/bin/bash nick nick staff staff
/bin/passwd nick root staff root
/bin/ls nick nick staff staff
26
File system (7)

• To change the attributes
• chmod
• who u, g, o, a
• Permission r, w, x, s, t
• chmod 777 file
• chmod or file

27
File system (8)

• How to set sticky bit, SUID, SGID?
• Need a fourth number
• 4??? set user ID on execution
• 2??? set group ID on execution
• 1??? set sticky bit

28
File system (9)

• How to remove a file in a secure way?
• Links
• You removed the original link to the file, but
• ncheck list all links to a file
• Furthermore, the file is not really deleted!
• User wipe

29
Changing the root of the filesystem

• Sandbox access to objects outside the sandbox is
  prevented
• chroot ltdirectorygt ltcommandgt
• Changes the root directory from / to ltdirectorygt
  when ltcommandgt executes
• For example, a web server

30
Search path

• Shell a command line interpreter
• For easy-to-use user input command without
  specifying the full pathname
• Searchpath in the .profile
• PATH.HOME/bin/usr/bin/usr/bin/usr/local/us
  r/new/usr/hosts

31
Manage the superuser

• Superuser is the major weakness
• Compromise the account
• Weak password
• Change UID to 0
• Crash the process with root privillege
• Presentation
• Admin should not use root as their personal
  account (using SU, SUDO)
• Strong password protection

32
Questions