Document

Download Report

Transcript Document 

Operating System security
Ge Zhang
[email protected]
Karlstad University
Karlstad University
Outline
• Operating system
• Basic access control schemes
• Examples: Unix/Linux
Karlstad University
Operating systems
User Applications: my sql, apache, calc, firefox, etc
Operating system: windows, linux, unix
Hardware: memory, CPU, HD, etc
•
•
•
•
Karlstad University
Process management
File access
Memory management
Security (authentication, authorization,…)
Objects and Subjects
• Subject
– Active entity in a computer system
• User, process
• Object
– Passive entity or resource in a computer system
• Files, network devices, printers
In defining access controls, you can either specify
• what a subject is allowed to do
or
• what may be done with an object
Karlstad University
Who can define the permissions
• Discretionary - the owner of the resource decides
who is allowed to have access
• Mandatory - the system-wide policy decides who is
allowed to have access
Karlstad University
Permissions
Permissions for files may include
• read
• write
• execute
• append
• delete
• change permission
• change ownership
Karlstad University
Access Control Matrix
•
Subjects: Alice, Bob
Objects: bill.doc, edit.exe, fun.bat
Operations: read (r),,write (w),execute (e)
bill.doc
•
Karlstad University
edit.exe
fun.bat
Alice
-
{e}
{e,r}
Bob
{r,w}
{e}
{e,r,w}
Not suitable for direct implementation
– The matrix is likely to be extremely sparse and therefore implementation is
inefficient
– Management of the matrix is likely to be extremely difficult if there are 10,000 of
files and 100 of users (resulting in 1,000,000 of matrix entries)
Capabilities
• Access rights are kept with the subjects
• i.e.,
– Alice’s capability: edit.exe: execute; fun.com: execute, read
• Problem
– It is difficult to get an overview of who has permission to access a
given object
– It is difficult to revoke a capability
Karlstad University
Access Control Lists
• Access rights can be kept with the objects (Access
Control Lists).
• i.e. ACL for fun.com Alice: execute, read; Bill:
execute, read, write
• A fitting concept for O.S.
• But… problem?
Karlstad University
Image such a ACL
• ACL for exam11.txt Alice: read, write; Bill: read,
write; Charlie: read, write; Dan: read, write; Eva:
read, write; Frank: read, write; …. (another 200+
students)
Karlstad University
Intermediate Controls: Groups
S1
S2
G1
O1
O2
S3
S4
S5
S1
G2
O3
S2
S3
S4
G1
O4
O1
O2
O3
• Groups and Negative permissions
• ACL for exam11.txt Student_group: read, write;
Karlstad University
O4
Protection rings
• A simple intermediate layer of hardware based
access control
– 2 bit field in status register (0-3)
– Defines 4 privilege levels (protection rings)
– Each subject (process) and each object is assigned a
number
• It is mainly for integrity protection for operating
system kernel
Karlstad University
3
2
1
0
• Now we take Unix/Linux system as an example
Karlstad University
Security schemes in Unix/Linux
• Account security
– User authentication
• File system security
– File access control
• Management issues
– Audit log
– Environment variables
– Manage the superuser
Karlstad University
Account security (1)
• User Accounts (/etc/passwd)
– User name: a string up to 8 characters
– User identities (UIDs) and group identities (GIDs) [Superuser
(Root, UID=0)]
– Unix does not distinguish between users with the same UID!!!!
– Home directory
– Shell
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
jim:x:500:100:Jim Smith:/home/jim:/bin/bash
Karlstad University
Account security (2)
• Shadow file (/etc/shadow) (only accessable to the users with root
privilege)
– User name
– Password (algorithm, salt, hashed password)
• *: login is disabled
• Empty: no password is required
– Last password change
– Minimum: the number of days left before the user is allowed to change his/her
password
– Maximum: The maximum number of days the password is valid (after that user
is forced to change his/her password)
root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7:::
bin:*:10933:0:99999:7:::
jim::10933:0:99999:7:::
Karlstad University
Account security (3)
salt
Password (plaintext)
One-way function
Password (encrypted)
root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7:::
bin:*:10933:0:99999:7:::
jim::10933:0:99999:7:::
Karlstad University
Account security (4)
• Groups
– Users belong to one or more groups
– To share files or other resource with a small number of users
– Ease of user management (give privilege)
• Group file (/etc/group)
–
–
–
–
Group name
Password
Group ID (GID)
Group list: members
student:x:24:alice, bob, raj
teacher:x:12:raj, nick
Karlstad University
File system (1)
• The inode: each file entry in a directory is a pointer to a
data structure
–
–
–
–
–
–
–
–
Karlstad University
mode: types of file and access rights
uid: the owner’s id
gid: the owner’s group id
atime: last access time
mtime: last modification time
itime: last inode alteration time
block count: size of file
physical location
File system (2)
•
•
•
•
The type of the file: ‘-’ for regular file, ‘d’ for directory
File permissions
Link counter
Name of the owner and the group
- rw-r--r-- 1 nick staff 1617 Oct 28 11:01 test.txt
drwx------ 2 nick staff 512 Oct 25 17:55 tmp/
Karlstad University
File system (3)
• Owner (r, w, x), group (r, w, x), other (r, w, x)
• Two ways to represent
– String: rwxr--r-– Octal number: 744
• System default permissions: 666 or 777
• (umask): a three-digit number specifying the rights that
should be withheld
– System default permissions AND NOT umask
• For example: umask 777 (denies all)
Karlstad University
File system (4)
• Permission for directories
– Read: find which files are in the directory (e.g., ls)
– Write: add files, remove, or rename files in the directory
– Execute: enter the directory and open files in the
directory (even for your own files)
Karlstad University
File system (5)
• “a real pain if you try and install a permanent file in
someone’s directory.”
drwxrwxrwx 4 root sys 485 Nov 10 06:01 /tmp
• Sticky bit: restrict the right to delete a file.
• Only the file's owner, the directory's owner, or the
root can rename or delete files.
drwxrwxrwt 4 root sys 485 Nov 10 06:01 /tmp
Karlstad University
File system (6)
• Unix requires higher privilege temporarily to execute
some operations
– e.g., change password
• SUID (set userID), SGID (set groupID)
• A user who is executing this program will get the
privilege of the owner temporarily
-rws--x--x 3 root root 16384 Nov 16 1996 passwd*
Karlstad University
Processes
• Each process has a process ID (PID)
• Two pairs of UID/GID for each process
– A real UID/GID
– An effective UID/GID
• The login process
process
Real UID
Effective UID
Real GID
Effective GID
/bin/bash
nick
nick
staff
staff
/bin/passwd
nick
root
staff
root
/bin/ls
nick
nick
staff
staff
Karlstad University
File system (7)
• To change the attributes
• chmod
–
–
–
–
Karlstad University
who: u, g, o, a
Permission: r, w, x, s, t
chmod 777 file
chmod o+r file
File system (8)
• How to set sticky bit, SUID, SGID?
• Need a fourth number
– 4??? set user ID on execution
– 2??? set group ID on execution
– 1??? set sticky bit
Karlstad University
File system (9)
• How to remove a file in a secure way?
• Links
• You removed the original link to the file, but…
• ncheck: list all links to a file
• Furthermore, the file is not really deleted!
– User wipe
Karlstad University
Changing the root of the filesystem
• Sandbox: access to objects outside the sandbox is
prevented
• chroot <directory> <command>
• Changes the root directory from / to <directory>
when <command> executes
• For example, a web server
Karlstad University
Search path
• Shell: a command line interpreter
• For easy-to-use: user input command without
specifying the full pathname
• Searchpath in the .profile
• PATH=.:$HOME/bin:/usr:/bin:/usr/bin:/usr/local:/usr/
new:/usr/hosts
Karlstad University
Manage the superuser
• Superuser is the major weakness
• Compromise the account
– Weak password
– Change UID to 0
– Crash the process with root privillege
• Presentation
– Admin should not use root as their personal account
(using SU, SUDO)
– Strong password protection
Karlstad University
Questions
Karlstad University