Embed Size (px)
Citation preview
CSCD 303Essential Computer SecuritySpring 2013
Lecture 6 - Desktop Security
Overview
• Learning Objectives– Understand the functions of an
Operating System including its security functions– Learn about the different levels of
privilege– Learn about Windows Access Control
OS Design Decisions
• The kernel is the heart of the OS and manages most of the functionality of the OS including access to device hardware
• Have been competing designs for the kernel – Monolithic vs Micro Kernel vs Hybrid Kernel Designs– These design decisions affect ultimate security of
OS
Nice resource for Operating System Concepts http://www.brokenthorn.com/Resources/OSDevIndex.html
VS
OS Design Decisions
• Monolithic Design– Integrate a great deal of functionality into
OS core– Services are interdependent – Core system is larger– Every flaw in system is exposed through
services that depend on that system
Monolithic Kernel
Monolithic kernel where all services File system, device drivers as well as core
functionality scheduling, memory allocation are a tight knit group sharing same space
Do not confuse term modular kernel to be anything but monolithic
Some monolithic kernels can be compiled to be modular
What matters is that module is inserted to and run from same space that handles core functionality
Examples of Monolithic Kernel?
Monolithic Kernel Diagram
KernelSpace
Monolithic Kernel Pros and Cons Pros
* More direct access to hardware for programs * Easier for processes to communicate between each other * If your device is supported, it should work with no
additional installations * Processes react faster because there isn’t a queue for
processor time
Cons
* Large install footprint * Large memory footprint * Less secure because everything runs in supervisor or
privileged mode
Micro Kernel A micro kernel Core functionality is isolated from
system services and device drivers For instance, VFS (virtual file system) and
block device file systems are separate processes that run outside kernel's space,
– Using IPC to communicate with kernel, other services and user processes
– IPC means Interprocess Communication Example of Micro kernel? Minix
Micro Kernel Architecture
Kernel Mode
Micro Kernel Pros and Cons
Pros Portability Small memory footprint Security Better - not as much runs in supervisor or privileged mode
Cons Hardware is more abstracted through drivers Hardware may react slower because drivers are in user mode
Processes have to wait in a queue to get information Processes can’t get access to other processes without waiting
Hybrid Kernel
Hybrid kernel is architecture based on combining aspects of microkernel and monolithic kernel architectures used in computer operating systems
A hybrid kernel runs some services in kernel space to reduce performance overhead of traditional microkernel, while still running kernel code as servers in user space
For instance, a hybrid kernel design may keep Virtual File System and bus controllers inside kernel and file system drivers and storage drivers as user mode programs outside the kernel
– Such a design keeps the performance and design principles of a monolithic kernel.
Whats an example of a Hybrid kernel?
Hybrid Kernel Architecture
Hybrid Kernel Pros and Cons
Pros * Developer can pick and choose what runs in
user mode and what runs in supervisor mode * Smaller install footprint than monolithic
kernel * More flexible than other models
Cons * Can suffer from same process lag as
microkernel * Device drivers need to be managed by user
(typically)
Operating Systems (OS)Functions• What do OS's do?– The operating system's tasks, in the most
general sense, fall into six categories:– Processor management– Memory management– Device management– Storage management– Application interface– User interface
Operating System Functions
Picture from HowStuffWorks.com
OS controls every task of your computer plus access to all the computer resources
OS Functions
• Processor Management– Allows multiple processes to share resources
of processor fairly– Does this by scheduling processes to get
execution time• User Processes• Microsoft Word, Foxfire or Skype• System Processes: • Print spooler, network connections, security
accounts manager ... plus many others
SchedulerTasks
Memory Storageand Management• When an operating system managescomputer's memory, there are twobroad tasks to be accomplished:
1. Each process must have enough memory in which to execute, and respect memory boundaries of each other
2. Different types of memory must be used properly so that each process can run most effectively such as– Cache, RAM and Virtual Memory
• First task requires operating system to set up memory boundaries for types of software and for individual applications
Device Management
• Path between operating system and virtually all hardware not on computer's motherboard goes through special program called a Device Driver– Driver's function by translating between
electrical signals– Hardware subsystems and high-level
programming languages of operating system and application programs
Device Management
• Drivers are separate from operating system so that new functions can be added to the driver
• Thus to hardware subsystems–Without requiring operating system itself
to be modified, recompiled and redistributed
Device Drivers
Linux Windows Smart Card
Storage Management
• Manages and Organizes disk resources– Includes temporary devices too– CD and DVD drives, thumb drives, external drives
• Creates file systems for storing both OS types of files and user files
• Must somehow keep track of who can access these files – Access Control
Application ProgrammingInterface (API)• Drivers provide a way for applications
to make use of subsystems without having to know every detail of internal operations– Application Program Interfaces (APIs) let
application programmers use OS functions without having to directly keep track of all the details in CPU's operation– Hides details of processor and other
resources from the program
Application ProgrammingInterface (API)• For Example– Microsoft Word or Open Office Word
Processor – You click, “Save file”– If didn't have an API• Word or Open Office would have to know all
details of file system and ultimately call disk controller to create file on disk• Instead, language program is written in, like
C or Java has a function that is mapped to operating system API for creating file
User Interface
• User Interface (UI) brings structure to interaction between user and computer– In last decade, almost all development in
user interfaces has been in area of graphical user interface (GUI),– Provides the “look and feel” of the
computer
MAC OS X
User Interface
Windows Vista
Operating System Security Functions
OS Security functions
• Can ask … What are primary security functions of most (all) modern Operating Systems?
• Most OS implements two functions1. User authentication2. Access to resources
1. User authentication – 2 partsa. Positively identify the user
– Compare to stored identity, user IDb. Authenticate the user
– User must provide additional information– Password, biometric attribute, keycard
OS Security functions
2. Access to Authorized Resources– Decision based on access rules– Typical authorization based on user or
group individual membership and– Labels attached to objects
• Example: Windows users with admin privilege – Allowed to both view and change user
accounts
OS's Manage Privilege Level
• Two levels of privilege in modern CPU's• This is offered by CPU itself, Intel, AMD
1. User mode – unprivileged2. Kernel mode – more privileged
• OS runs in Kernel more privileged mode• User programs run in User less
privileged mode– User programs make calls to the OS
• To use the hardware resources• Use the OS API to access hardware
User Powers
• Seems to be a need to have a user with greater powers– Root, superuser or administrator
• Yet, this comes with added risk– If user makes a mistake, can possibly
damage the system– Or, if they get their identity stolen,
attacker has full power to OS
User Powers• Because of this risk problemfrom elevated power, concept of – “Least Privilege”
• Only want to operate with minimum of needed power to get job done
– So, while I could always log in as Administrator, if I get my account hijacked or I get infected by malware while I am administrator
• Attackers then have full access to the machine's resources
– Example: In Linux Ubuntu, have sudo command
Windows Security Features
Windows has evolved from a minimal security model prior to Windows NT to something fairly robust in enterprise environments with Windows Vista, 7, Server 2003, Server 2008 and beyond
Look at main features of Windows security common to all Windows versions
Access Control
Gatekeeper to Windows Called Local Security Authority (LSA) Implemented in the service, lsass.exe What it Does 1. Validates access to objects 2. Checks user privilege 3. Creates audit messages
Access Control
Allows subjects to access objectsSubjects – Any entity that performs some action
Subjects are not just people or users Subjects are actually processes in Windows
Objects – securable objects• Have associated Access Control Lists
(ACL's)– Lists of permissible actions by subjects
Securable Objects • Files, directories, services, Registry Keys,
Printers
3535
Windows ACLs
Sets of rights Basic:
read, write, execute, delete, change permission, take ownership
Generic: no access, read (read/execute), change
(read/write/execute/delete), full control (all), special access (assign any basic
rights) Directory:
no access, read (read/execute files in
directory), list, add, add and read, change (create, add, read,
execute, write files; delete subdirectories),
full control, special access
Access Control Components User Accounts
• Store an identifier and have associated privileges • Allow access to objects and system resources• Has associated Security Identifiers for internal use
(SID)
Windows has built-in accounts• SYSTEM – powerful local machine account• Administrator – All powerful, can be renamed but not deleted
Groups• Grouping user accounts with similar privileges• Some built-in groups • User Accounts in a group inherits the privileges of a group
Examples of built-in groups• Administrators, Back-up Operators, Guests and many others
Security Identifiers (SIDs)
User account
has SID that uniquely
identifies it
Access Control User Rights
Say … you log onto a Windows System How are you authenticated and what authorizes
you to access computer resources? The Log-on process
You enter your User ID and password Entered credentials passed to LSASS subsystem, lsass.exe Will go over details when we discuss passwordsIf credentials are valid, a Token is created and
attached to logon session
The Token Whats in a token?
• Contains a list of Security ID's associated with a user account
– You can have multiple SIDs because you belong to multiple groups
• So, when user tries to access a resource such as a file, token is used by the LSASS subsystem
How is token used?• Object, say a file will have an Access
Control List (ACL) that specifies SID's permitted to access the object
• If one of SID's in users token matches SID in Object's ACL, user granted access
Windows Privilege Levels
• In XP and other pre-Vista versions– Had 2 choices of privilege– 1. Administrator or 2. Normal user• Administrator – access to everything• Normal user – many system level tasks you
needed to do, you couldn't do
– Consequently, most people ran as Administrator most of the time
Windows Privilege Levels
• Vista and Windows 7 – Have more choices– Can operate as a restricted normal user
and still be able to do almost everything in OS– And when necessary, you can be
elevated to an administrator for a short time to accomplish some task– Called UAC – User Account Control
http://technet.microsoft.com/en-us/library/cc772207%28v=WS.10%29.aspx
User Account Control
What does it do? UAC allows an administrator to enter
credentials during a non-administrator's user session
to perform occasional administrative tasks without having to switch users, log off, or use the Run as command
UAC also can also require administrators to specifically approve applications that will make "system-wide" changes before those applications are allowed to run, even in the administrator's user session
User Account Control
Windows Vista and 7, how it works: Admin Approval Mode (AAM), by
default, is not enabled for the Built-in Administrator Account in Windows Vista or 7
Built-in Administrator Account is disabled by default in Windows Vista, and first user account created is placed in local Administrators group, and AAM is enabled for that account
Benefits of UAC
Admin Approval Mode helps prevent malicious programs from silently installing without an administrator's knowledge
It also helps protect from inadvertent system-wide changes
Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process
Tasks Only Administrators Can Perform
Create, change, and delete user accounts and groups Install and uninstall programs Configure automatic updating or install Windows updates
manually Install an ActiveX control Install or remove hardware device drivers Share folders Set permissions Access all files, including those in another user’s folder Take ownership of files Copy or move files into the %ProgramFiles% or
%SystemRoot% folders Restore backed-up system files Grant rights to other user accounts and to themselves Configure Parental Controls Configure Windows Firewall
Tasks Available to Standard Users
Change the password and picture for their own user account
Use programs that have been installed on the computer
Install approved ActiveX controls Configure a secure Wi-Fi connection View permissions Create, change, and delete files in their document
folders and in shared document folders Restore their own backed-up files View the system clock and calendar, and change
the time zone Configure power options Log on in Safe Mode
Summary
Operating Systems by designHelps or hinders security
Users and processes have access to resources on a given system According to their identities and group affiliations
Want the concept of Least Privilege to be in effectUse the least privilege level to get the job doneHelps with restricting access by potential bad
guys
The End
• Next Time: More Desktop • Next: Vista Lab, meet in CEB 342 according
to the day you signed up
