Operating System Security

Download Report

Transcript Operating System Security

Operating System
Security
Dr. Neminath Hubballi
IIT Indore © Neminah Hubballi
Outline
 Functions of Operating System
 Security concerns in OS
 Process security
 File Security
 Booting security
 Hibernation security
 Password based security
 Event log management in windows
IIT Indore © Neminah Hubballi
Functions of Operating System
 Is a mediator between user applications
and hardware
 Handles lot many complex tasks






Memory management
Process management
Handling deadlocks
File system support
Multitasking
Multi user support
IIT Indore © Neminah Hubballi
What Can Go Wrong ?
 Consider a situation where there is shortage of systems
in school of CSE IITI
 If you are asked to share same PC with your peers
 What do you want to do
 Users have different level of access
 Based on role
 Multiple users and multi tasking requires a level of
protection
 One user from interfering other users
 One program from interfering other users
 Sharing of resources
 Optimization
IIT Indore © Neminah Hubballi
Organization of Computer
Hardware and Software
 Hardware
User Applications
Non Essential OS
Applications
OS Kernel
 Many devices
 Each device has a driver
 Provides APIs to access
 Kernel
 Heart of OS
 Manages the low level h/w
resources
 Non essential component of OS
 Printing program
Hardware
 User application
 Access the service provided by OS
 System calls
IIT Indore © Neminah Hubballi
Process
 Kernel defines the notion of a process
 Programs are stored in persistent storage
 Can multiple copies of same program run simultaneously
?
 Time slicing
 Process tree
 Fork system call
 Parent and child
 Peers
 In Linux system init is the root of process tree
 Meaning all other processes are created by it
 Its PID is 0
IIT Indore © Neminah Hubballi
Process Tree Diagram
IIT Indore © Neminah Hubballi
Process Privileges
 To grant appropriate access restrictions on the process






operating system associates privilege information to a
process
This privilege is same as privilege of user who is running
the process
Each process has a user id called uid, group id gid
The uid is a number between 0 to 32767 which uniquely
identifies each user
Typically uid 0 is assigned to the root user
Similarly gid is also a number in the same range
Effective user id eid is the user id whose privileges are
used to access a resource
IIT Indore © Neminah Hubballi
File Ownership and Permissions
 Permissions:
 Assigned to each file/directory
 Provides security
 Ability to manage users and their files.
 Needed to access file/directory
 Usually granted to groups
 In multi-user operating systems like Linux, access is given
only to authorized users
 Super (root) user:
 Has special privileges –
 In a sense owns everything
 Can change file ownerships
 Bypass permissions that owner of file may have set
 Uses root account to provide administrative functions
IIT Indore © Neminah Hubballi
File Ownership and Permissions
 Unix systems treat everything as a file
 Special files
 Devices- a piece of hardware either part of system or an external
unit
 Sockets- a means of communicating with other processes
 Permissions can be of
 Read
 Write and
 Execute
 File system
 ext 2 and ext 3 – permissions apply
 FAT – no means of ownership
IIT Indore © Neminah Hubballi
Sticky Bit in Unix
 Sticky Bit: Mainly used to avoid some other user deleting a file
though she has a write permission on the folder
 If Sticky bit is enabled on a folder, the folder contents are deleted by
only owner who created them and the root user.
 This is a security measure to avoid deletion of critical folders and
their content(sub-folders and files), though other users have full
permissions.
 Setting sticky bit
 chmod +t /opt/dump/
 +t indicates sticky bit setting\
 Check sticky bit
 ls –l : a t will appear in the listing
 Revoking sticky bit
 Chmod -t /opt/dump/
IIT Indore © Neminah Hubballi
Memory Management
 Process granularity
 Each process upon creation is allocated some
memory called as address space
 This memory is organized in segments
 .text, .data, .bss, and heap and stack segments
 Each segment has its own access permissions
 Readable, writable and executable
 Operating system protects one process from other by
not allowing access to others address space
 Global granularity
 Kernel address space
 User address space
IIT Indore © Neminah Hubballi
Booting Sequence and Security
 Typical booting sequence is
BIOS
Secondary Boot Loader
Operating System
There is a chain of trust in booting process
An attacker can subvert booting process by
altering or modifying something in any of
these components
In order to protect system from such
changes most systems have a BIOS
password
IIT Indore © Neminah Hubballi
Hibernation and Security
 Hibernation is a concept of saving state of system into
disk
 Typically in a file state information is stored
 Entire main memory is copied into a file (in a compressed
format)
 Since entire state is copied onto disk
 All passwords and other sensitive information carry danger of
being exposed
 Researchers have shown the feasibility of extracting
such information by mounting a live CD attack
 On a windows machine state is stored in a file
c:\hiberfil.sys
IIT Indore © Neminah Hubballi
Password and User Account
Management in Operating System
 Naive approach
 Create a file password where all users passwords are stored
 Neminath : pass156
 Gourinath : test234
 Somnath : temp123
 Save the file password in a place in the system
 What if a thief gets access to this file ?
 All user accounts are compromised
 What can we do to prevent it ?
 Encrypt the file containing password file
 Seems a good idea but not enough
 There is a key used to encrypt the file
 How does the OS verifies the password ?
 Key needs to be somewhere in the system
 Key needs to be stored
 If file containing password can be stolen key also can be stolen
 Use one way hashing and salting – most flavors of unix systems use this method
IIT Indore © Neminah Hubballi
Password and User Account
Management in Operating System
 One way hashing is a function f
 Characteristic of this function is
 when supplied x computes f(x) easily
 But inverse is extremely complex i.e., given f(x) it is difficult to calculate
x.
 An example




Convert all the characters into their ASCII values and XOR them
Resultant is a small number derived out of XOR operation
Store the hash value in password file
Note we do not store the password anywhere
 The idea is make it impossible to guess the password even if hash
value is known
 Now the password file looks like
 Neminath : a12hf
 Gourinath : b4a2e
 Somanath : d34ef
IIT Indore © Neminah Hubballi
Password and User Account
Management in Operating System
 From a thief's perspective
 She can start guessing passwords one by one and
compare it to the hash values in password file
 She needs to know which hash function to use
 There are only handful of good one-way hash
functions implemented
 So its easy to guess one or find out one
 Using a table called rainbow table (which is a list of
common pre-computed password hashes )it is easy
to break it
 Even if one user uses a weak password which
maches with that of dictionary system security is
compromised
 This is addressed through a technique called as
salting
IIT Indore © Neminah Hubballi
Password and User Account
Management in Operating System
 Salting
 Do not hash passwords as it is add something to it
and then hash
 Unix system uses an additional 12 bit number to hash
password
 How to chose value of salt
 Deterministic across the users: not a good idea !
 Unique for each user : sounds good but how to get a unique
one
 Take the current timestamp of system and divide with a
predetermined number to get a 12 bit remained use it as a
salt.
 Meta data as salt : use the birthday or PAN number of user
as salt
IIT Indore © Neminah Hubballi
Unix Password Management
 A file in the directory /etc/passwd stores the Unix
users password
 Unix password is hashed and salted
 Salting and hashing effectively increase the amount of
work done to break into the target system
 Algorithm
 Take the first 8 ASCI characters of the user password and
encrypt a 64 bit constant character consisting of all 0’s
 If the user password is less than 8 characters suitably pad
it to make it 56 bits
 Encrypt the 64 bit length 0’s 25 times with DES using user
password as key
 Resultant encrypted version is stored in the file
IIT Indore © Neminah Hubballi
Windows Event Logging
IIT Indore © Neminah Hubballi
Windows Event Logs
 Types of Logs
 Application logs : events from applications
 Security logs : login and logout details, failed
logins
 System logs: events from system components\
 The event header contains






Date and time
User and Computer
Event ID
Level
Source
Category
IIT Indore © Neminah Hubballi
Windows Event Logs
 Types of Events
 Information : Normally indicates successful
operation of something
 Warning: Indicates not a severe issue but in
future it may be troublesome
 Error: Describes a significant problem
 Success Audit (Security log) : When a user
successfully logs into system
 Failure Audit (Security log) : A failed login
attempt
IIT Indore © Neminah Hubballi
An Example
IIT Indore © Neminah Hubballi
An Example
 Level






time and day
source event id task
category
Warning
12/6/2013 12:34:21 PM
Tcpip 4228 None
Details: TCP/IP has chosen to restrict the scale factor due to
a network condition. This could be related to a problem in a
network device and will cause degraded throughput.
Issue is related to communication
Scale factor is related to receive window size
By using the window scale option, the receive window size
may be increased up to a maximum value of 1,073,725,440
bytes. This is done by specifying a one byte shift count in the
header options field.
The true receive window size is left shifted by the value in
shift count. A maximum value of 14 may be used for the shift
count value.
IIT Indore © Neminah Hubballi
Logging at Many Places
 Windows event logs
 Antivirus programs
 Firewalls
 Radius server
 DHCP server
 IDS and IPS ……..
IIT Indore © Neminah Hubballi
Event Correlation
Courtesy: SANS Analyst Program Document
IIT Indore © Neminah Hubballi
Sequence of Events
Courtesy: SANS Analyst Program Document
IIT Indore © Neminah Hubballi