Upload
rosamond-curtis
View
222
Download
0
Embed Size (px)
Citation preview
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Operating System Operating System SecuritySecurity
Dr. Neminath HubballiDr. Neminath Hubballi
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
OutlineOutline
Functions of Operating SystemFunctions of Operating System Security concerns in OSSecurity concerns in OS Process securityProcess security File SecurityFile Security Booting security Booting security Hibernation securityHibernation security Password based securityPassword based security Event log management in windowsEvent log management in windows
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Functions of Operating SystemFunctions of Operating System
Is a mediator between user applications Is a mediator between user applications and hardwareand hardware
Handles lot many complex tasksHandles lot many complex tasks Memory managementMemory management Process management Process management Handling deadlocksHandling deadlocks File system supportFile system support MultitaskingMultitasking Multi user supportMulti user support
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
What Can Go Wrong ?What Can Go Wrong ?
Consider a situation where there is shortage of systems Consider a situation where there is shortage of systems in school of CSE IITIin school of CSE IITI
If you are asked to share same PC with your peersIf you are asked to share same PC with your peers What do you want to do What do you want to do
Users have different level of accessUsers have different level of access Based on roleBased on role
Multiple users and multi tasking requires a level of Multiple users and multi tasking requires a level of protection protection One user from interfering other usersOne user from interfering other users One program from interfering other usersOne program from interfering other users
Sharing of resources Sharing of resources Optimization Optimization
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Organization of Computer Organization of Computer Hardware and SoftwareHardware and Software
HardwareHardware Many devicesMany devices Each device has a driverEach device has a driver Provides APIs to accessProvides APIs to access
KernelKernel Heart of OSHeart of OS Manages the low level h/w Manages the low level h/w
resourcesresources Non essential component of OSNon essential component of OS
Printing programPrinting program User applicationUser application
Access the service provided by OSAccess the service provided by OS System callsSystem calls
User Applications
Non Essential OS Applications
OS Kernel
Hardware
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
ProcessProcess Kernel defines the notion of a processKernel defines the notion of a process Programs are stored in persistent storagePrograms are stored in persistent storage Can multiple copies of same program run simultaneously Can multiple copies of same program run simultaneously
?? Time slicing Time slicing Process treeProcess tree Fork system callFork system call
Parent and childParent and child Peers Peers
In Linux system init is the root of process treeIn Linux system init is the root of process tree Meaning all other processes are created by itMeaning all other processes are created by it Its PID is 0Its PID is 0
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Process PrivilegesProcess Privileges
To grant appropriate access restrictions on the process To grant appropriate access restrictions on the process operating system associates privilege information to a operating system associates privilege information to a processprocess
This privilege is same as privilege of user who is running This privilege is same as privilege of user who is running the processthe process
Each process has a user id called Each process has a user id called uid, uid, group id group id gidgid The The uid uid is a number between 0 to 32767 which uniquely is a number between 0 to 32767 which uniquely
identifies each user identifies each user Typically Typically uid uid 0 is assigned to the root user 0 is assigned to the root user Similarly Similarly gid gid is also a number in the same rangeis also a number in the same range Effective user id Effective user id eid eid is the user id whose privileges are is the user id whose privileges are
used to access a resourceused to access a resource
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
File Ownership and PermissionsFile Ownership and Permissions
Permissions:Permissions: Assigned to each file/directory Assigned to each file/directory
Provides securityProvides security Ability to manage users and their filesAbility to manage users and their files..
Needed to access file/directoryNeeded to access file/directory Usually granted to groupsUsually granted to groups
In multi-user operating systems like Linux, access is given In multi-user operating systems like Linux, access is given only to authorized users only to authorized users
Super (root) user:Super (root) user: Has special privileges –Has special privileges –
In a sense owns everythingIn a sense owns everything Can change file ownerships Can change file ownerships Bypass permissions that owner of file may have setBypass permissions that owner of file may have set Uses root account to provide administrative functionsUses root account to provide administrative functions
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
File Ownership and PermissionsFile Ownership and Permissions
Unix systems treat everything as a file Unix systems treat everything as a file Special filesSpecial files
Devices- a piece of hardware either part of system or an Devices- a piece of hardware either part of system or an external unitexternal unit
Sockets- a means of communicating with other processes Sockets- a means of communicating with other processes
Permissions can be of Permissions can be of ReadRead Write and Write and Execute Execute
File systemFile system ext 2 and ext 3 – permissions applyext 2 and ext 3 – permissions apply FAT – no means of ownership FAT – no means of ownership
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Sticky Bit in UnixSticky Bit in Unix Sticky Bit: Mainly used to avoid some other user deleting a file Sticky Bit: Mainly used to avoid some other user deleting a file
though she has a write permission on the folderthough she has a write permission on the folder If Sticky bit is enabled on a folder, the folder contents are deleted by If Sticky bit is enabled on a folder, the folder contents are deleted by
only owner who created them and the root user.only owner who created them and the root user. This is a security measure to avoid deletion of critical folders and This is a security measure to avoid deletion of critical folders and
their content(sub-folders and files), though other users have full their content(sub-folders and files), though other users have full permissions.permissions.
Setting sticky bitSetting sticky bit chmod +t /opt/dump/chmod +t /opt/dump/
+t indicates sticky bit setting\+t indicates sticky bit setting\ Check sticky bitCheck sticky bit
ls –l : a t will appear in the listing ls –l : a t will appear in the listing Revoking sticky bitRevoking sticky bit
Chmod -t /opt/dump/Chmod -t /opt/dump/
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Memory ManagementMemory Management
Process granularityProcess granularity Each process upon creation is allocated some Each process upon creation is allocated some
memory called as address spacememory called as address space This memory is organized in segmentsThis memory is organized in segments
.text, .data, .bss, and heap and stack segments.text, .data, .bss, and heap and stack segments Each segment has its own access permissionsEach segment has its own access permissions
Readable, writable and executableReadable, writable and executable Operating system protects one process from other by Operating system protects one process from other by
not allowing access to others address spacenot allowing access to others address space Global granularityGlobal granularity
Kernel address spaceKernel address space User address space User address space
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Booting Sequence and SecurityBooting Sequence and Security
Typical booting sequence isTypical booting sequence is
BIOS
Secondary Boot Loader
Operating System
There is a chain of trust in booting process
An attacker can subvert booting process by altering or modifying something in any of these components
In order to protect system from such changes most systems have a BIOS password
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Hibernation and SecurityHibernation and Security
Hibernation is a concept of saving state of system into Hibernation is a concept of saving state of system into disk disk Typically in a file state information is storedTypically in a file state information is stored Entire main memory is copied into a file (in a compressed Entire main memory is copied into a file (in a compressed
format)format)
Since entire state is copied onto diskSince entire state is copied onto disk All passwords and other sensitive information carry danger of All passwords and other sensitive information carry danger of
being exposedbeing exposed
Researchers have shown the feasibility of extracting Researchers have shown the feasibility of extracting such information by mounting a live CD attacksuch information by mounting a live CD attack
On a windows machine state is stored in a file c:\On a windows machine state is stored in a file c:\hiberfil.syshiberfil.sys
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Password and User Account Password and User Account Management in Operating System Management in Operating System
Naive approachNaive approach Create a file password where all users passwords are storedCreate a file password where all users passwords are stored
Neminath : pass156Neminath : pass156 Gourinath : test234Gourinath : test234 Somnath : temp123Somnath : temp123
Save the file password in a place in the systemSave the file password in a place in the system What if a thief gets access to this file ?What if a thief gets access to this file ?
All user accounts are compromised All user accounts are compromised What can we do to prevent it ?What can we do to prevent it ?
Encrypt the file containing password fileEncrypt the file containing password file Seems a good idea but not enough Seems a good idea but not enough There is a key used to encrypt the file There is a key used to encrypt the file How does the OS verifies the password ?How does the OS verifies the password ? Key needs to be somewhere in the systemKey needs to be somewhere in the system Key needs to be storedKey needs to be stored If file containing password can be stolen key also can be stolen If file containing password can be stolen key also can be stolen Use one way hashing and salting – most flavors of unix systems use this methodUse one way hashing and salting – most flavors of unix systems use this method
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Password and User Account Password and User Account Management in Operating System Management in Operating System
One way hashing is a function One way hashing is a function f f Characteristic of this function is Characteristic of this function is
when supplied when supplied xx computes computes f(x) f(x) easily easily But inverse is extremely complex i.e., given But inverse is extremely complex i.e., given f(x) f(x) it is difficult to calculate it is difficult to calculate
x. x. An exampleAn example
Convert all the characters into their ASCII values and XOR them Convert all the characters into their ASCII values and XOR them Resultant is a small number derived out of Resultant is a small number derived out of XOR XOR operation operation Store the hash value in password fileStore the hash value in password file Note we do not store the password anywhere Note we do not store the password anywhere
The idea is make it impossible to guess the password even if hash The idea is make it impossible to guess the password even if hash value is known value is known
Now the password file looks like Now the password file looks like Neminath : a12hfNeminath : a12hf Gourinath : b4a2eGourinath : b4a2e Somanath : d34efSomanath : d34ef
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Password and User Account Password and User Account Management in Operating System Management in Operating System
From a thief's perspective From a thief's perspective She can start guessing passwords one by one and She can start guessing passwords one by one and
compare it to the hash values in password filecompare it to the hash values in password file She needs to know which hash function to useShe needs to know which hash function to use There are only handful of good one-way hash There are only handful of good one-way hash
functions implemented functions implemented So its easy to guess one or find out one So its easy to guess one or find out one Using a table called rainbow table (which is a list of Using a table called rainbow table (which is a list of
common pre-computed password hashes )it is easy common pre-computed password hashes )it is easy to break itto break it
Even if one user uses a weak password which Even if one user uses a weak password which maches with that of dictionary system security is maches with that of dictionary system security is compromisedcompromised
This is addressed through a technique called as This is addressed through a technique called as salting salting
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Password and User Account Password and User Account Management in Operating System Management in Operating System
SaltingSalting Do not hash passwords as it is add something to it Do not hash passwords as it is add something to it
and then hash and then hash Unix system uses an additional 12 bit number to hash Unix system uses an additional 12 bit number to hash
passwordpassword How to chose value of saltHow to chose value of salt
Deterministic across the users: not a good idea !Deterministic across the users: not a good idea ! Unique for each user : sounds good but how to get a unique Unique for each user : sounds good but how to get a unique
oneone Take the current timestamp of system and divide with a Take the current timestamp of system and divide with a
predetermined number to get a 12 bit remained use it as a predetermined number to get a 12 bit remained use it as a salt. salt.
Meta data as salt : use the birthday or PAN number of user Meta data as salt : use the birthday or PAN number of user as saltas salt
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Unix Password ManagementUnix Password Management A file in the directory /etc/passwd stores the Unix A file in the directory /etc/passwd stores the Unix
users passwordusers password Unix password is hashed and saltedUnix password is hashed and salted Salting and hashing effectively increase the amount of Salting and hashing effectively increase the amount of
work done to break into the target system work done to break into the target system Algorithm Algorithm
Take the first 8 ASCI characters of the user password and Take the first 8 ASCI characters of the user password and encrypt a 64 bit constant character consisting of all 0’s encrypt a 64 bit constant character consisting of all 0’s
If the user password is less than 8 characters suitably pad If the user password is less than 8 characters suitably pad it to make it 56 bits it to make it 56 bits
Encrypt the 64 bit length 0’s 25 times with DES using user Encrypt the 64 bit length 0’s 25 times with DES using user password as key password as key
Resultant encrypted version is stored in the file Resultant encrypted version is stored in the file
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Windows Event LoggingWindows Event Logging
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Windows Event LogsWindows Event Logs Types of LogsTypes of Logs
Application logs : events from applications Application logs : events from applications Security logs : login and logout details, failed Security logs : login and logout details, failed
loginslogins System logs: events from system components\System logs: events from system components\
The event header containsThe event header contains Date and timeDate and time User and ComputerUser and Computer Event ID Event ID Level Level Source Source Category Category
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Windows Event LogsWindows Event Logs
Types of EventsTypes of Events InformationInformation : Normally indicates successful : Normally indicates successful
operation of somethingoperation of something WarningWarning: Indicates not a severe issue but in : Indicates not a severe issue but in
future it may be troublesome future it may be troublesome ErrorError: Describes a significant problem : Describes a significant problem Success Audit (Security log) Success Audit (Security log) :: When a user When a user
successfully logs into systemsuccessfully logs into system Failure Audit (Security log) Failure Audit (Security log) : A failed login : A failed login
attemptattempt
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
An ExampleAn Example LevelLevel time and daytime and day source event id task categorysource event id task category WarningWarning 12/6/2013 12:34:21 PM12/6/2013 12:34:21 PM TcpipTcpip 42284228
NoneNone Details: TCP/IP has chosen to restrict the scale factor due to Details: TCP/IP has chosen to restrict the scale factor due to
a network condition. This could be related to a problem in a a network condition. This could be related to a problem in a network device and will cause degraded throughput.network device and will cause degraded throughput.
Issue is related to communicationIssue is related to communication Scale factor is related to receive window sizeScale factor is related to receive window size By using the window scale option, the receive window size By using the window scale option, the receive window size
may be increased up to a maximum value of 1,073,725,440 may be increased up to a maximum value of 1,073,725,440 bytes. This is done by specifying a one byte shift count in the bytes. This is done by specifying a one byte shift count in the header options field.header options field.
The true receive window size is left shifted by the value in The true receive window size is left shifted by the value in shift count. A maximum value of 14 may be used for the shift shift count. A maximum value of 14 may be used for the shift count value.count value.
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Logging at Many Places Logging at Many Places
Windows event logsWindows event logs Antivirus programsAntivirus programs FirewallsFirewalls Radius serverRadius server DHCP serverDHCP server IDS and IPS ……..IDS and IPS ……..
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Event Correlation Event Correlation
Courtesy: SANS Analyst Program Document