Introduction to Computer SecurityUNIX and Windows Security
Pavel LaskovWilhelm Schickard Institute for Computer Science
Genesis: UNIX vs. MULTICS
MULTICS (Multiplexed Information and Computing Service)a high-availability, modular, multi-component systemsecure design from ground up: implementation of theBell-La Padula modelinitial development from 1963 to 1969; continued until 1985;last system decommissioned in 2000
UNIX: the opposite of MULTICSinitial assembler implementation by Ken Thompson and DennisRitchie for PDP-7 and PDP-11rewritten in C in 1973: the first operating system written in ahigh-level languagecontinuous evolution of various dialects of UNIX and its routinesfor almost 40 years
Genesis: UNIX vs. MULTICS
MULTICS (Multiplexed Information and Computing Service)a high-availability, modular, multi-component systemsecure design from ground up: implementation of theBell-La Padula modelinitial development from 1963 to 1969; continued until 1985;last system decommissioned in 2000
UNIX: the opposite of MULTICSinitial assembler implementation by Ken Thompson and DennisRitchie for PDP-7 and PDP-11rewritten in C in 1973: the first operating system written in ahigh-level languagecontinuous evolution of various dialects of UNIX and its routinesfor almost 40 years
Security and UNIX design
Security was not a primary design goal of UNIX; dominantgoals were modularity, portability and efficiency.UNIX provides sufficient security mechanisms that have tobe properly configured and administered.The main security strength of UNIX systems comes fromopen source implementation which helps improve its codebase.The main security weakness of UNIX systems comes fromopen source implementation resulting in a less professionalcode base.
Principals
User identifiers (UID)Group identifiers (GID)A UID (GID) is always a 16-bit numberA superuser (root) always has UID 0.UID information is stored in /etc/passwdGID information is stored in /etc/group
User account information: /etc/passwd
1. Username: used when user logs in, 1–32 characters long2. Password: ’x’ indicates that encrypted password is stored in
/etc/shadow3. User ID (UID): 0 reserved for root, 1-99 for other predefined
accounts, 100-999 for system accounts/groups4. Group ID (GID): the primary group ID5. User ID info: a comment field6. Home directory: The absolute path to the directory the user
will be in when they log in7. Command/shell: The absolute path of a command or shell
(/bin/bash)
/etc/passwd examples
root:x:0:0:root:/root:/bin/bash
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
laskov:x:1000:1000:Pavel Laskov,,,:/home/laskov:/bin/bash
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Shadow password file
1. Username: the user name2. Passwd: the encrypted password3. Last: days since Jan 1, 1970 that password was last
changed4. May: days before password may be changed5. Must: days after which password must be changed6. Warn: days before password is to expire that user is warned7. Expire: days after password expires that account is disabled8. Disable: days since Jan 1, 1970 that account is disabled
Examples:
root:!:14118:0:99999:7:::
laskov:$1$/et/grJh$xssVNwpdA35TwsSt7Yjvb/:14118:0:99999:7:::
Group file
1. Groupname: the group name2. Password: an x indicates that a password is set and if left
blank no password has been set3. GID: the group ID number4. Members: current members of the group separated by a
comma
Examples:
root:x:0:
adm:x:4:laskov
laskov:x:1000:
Root privileges
Almost no security checks:all access control mechanisms turned offcan become an arbitrary usercan change system clock
Some restrictions remain but can be overcome:cannot write to read-only file system but can remount them aswritablecannot decrypt passwords but can reset them
Any user name can be root!
root:x:0:1:root:/:/bin/sh
funnybunny:x:0:101:Nice Guy:/home/funnybunny:/bin/sh
Subjects
The subjects in UNIX are processes identified by a processID (PID).New process creation
fork: spawns a new child process which is an identical processto the parent except for a new PIDvfork: the same as fork except that memory is shared betweenthe two processesexec family: replaces the current process with a new processimage
Processes are mapped to UIDs (principal-subject mapping)in either of the following ways:
real UID is always inherited from the parent processeffective UID is either inherited from the parent process or fromthe owner of the file to be executed
Objects
Files, directories, memory devices, I/O devices etc. areuniformly treated as resources subject to access control.All resources are organized in tree-structured hierarchyEach resource in a directory is a pointer to the inode datastructure that describes essential resource properties.
Inode structure
mode file type and access control rightsuid user namegid group nameatime last access timemtime last modification timeitime last inode change timeblock count size of the file in blocksptr pointers to physical blocks with file contents
Mode field in detail
File/resource type
’-’ file’d’ directory ’s’ socket’b’ block device file ’l’ symbolic link’c’ character device file ’p’ FIFO
Access control rules (permissions)
owner rights ’r’, ’w’, ’e’, ’-’group rights ’r’, ’w’, ’e’, ’-’“world” rights ’r’, ’w’, ’e’, ’-’
Examples-rw-r--r-- 1 laskov laskov 10652 ... 08-unix.tex
lrwxrwxrwx 1 root root 15 ... stdin -> /proc/self/fd/0
crw------- 1 laskov tty 136 ... /dev/pts/1
Directory permissions
read: searching a directory using e.g. lswrite: modifying directory contents, creating and deletingfiles and directoriesexecute: making a directory current and/or opening files in it
Managing permissions
Octal encoding of permissions
read-only: 100B ⇒ 4read-write: 110B ⇒ 6read-write-execute: 111B ⇒ 7
Modifying permissions
chmod 777 filenamechmod u+rwx,g+rx,o-w filename
Changing file owner (root only)
chown user:group filename
Default permissions
Default permissions are usually 666 for files and 777 fordirectories.umask command changes default permissions
synopsis: umask mask
the inverse of mask is ANDed with the current permissions
Examples:
def. perm. mask inv. mask result777 022 755 755777 027 750 750666 033 744 644666 077 700 600
Controlled invocation
Certain actions, e.g. using system ports (1-1023) orchanging a password, require root privileges.We don’t want to give users a general root privilege bytelling them a root password, but only the right to runselected commands as root.Solution: set a special flag indicating that a program can berun under the privilege of its owner rather than that of acalling user.Disadvantage: this right cannot be given to selected users:all users in the “world” (or in a group) can run a programunder its owner’s privilege.
SUID, SGID and sticky flags
A fourth octal number is added to permissions with thefollowing bit designations:
SUID: set UID (allow all users to run a program)SGID: set GID (allow all users in a specific group to run aprogram)sticky flag: only an owner (or root) can remove files in adirectory
Use chmod with four octal digits to set the extra flags:chmod 7644 08-unix.tex
ls -l 08-unix.tex
-rwSr-Sr-T 1 laskov laskov 13031 ... 08-unix.tex
Security risks of SUID
Privilege escalationchmod 7700 bad-script.sh
chown root:root badscript.sh
./bad-script.sh
Ownership transfer to root is forbidden!Exploitation automatically receives root privileges
Security risks of SUID
Privilege escalationchmod 7700 bad-script.sh
chown root:root badscript.sh
./bad-script.sh
Ownership transfer to root is forbidden!
Exploitation automatically receives root privileges
Security risks of SUID
Privilege escalationchmod 7700 bad-script.sh
chown root:root badscript.sh
./bad-script.sh
Ownership transfer to root is forbidden!Exploitation automatically receives root privileges
Search paths
An attacker can diverting of execution of another programwith the same name.Rules of conduct:
If possible, specify full paths when calling programs, e.g./bin/sh instead of sh.The same applies to programs to be run locally: use ./program
instead of program.Make sure . is the first symbol in the PATH variable. This will atleast prevent calling a “remote” version of a program if what youreally want is a “local” invocation.
Path and SUID combined
$ ls -altr /home/sitka/ping
-rwsrwxr-x 1 root root 8378 Dec 12 09:58 /home/sitka/ping
$ cat ping.c
#include <unistd.h>
int main() {
char *args[2];
args[0] = "/bin/sh";
args[1] = NULL;
execve(args[0], args, NULL);}
$ PATH=/home/sitka:${PATH}
$ ping
# whoami
root
Security features missing in UNIX
ACLs in general (getfacl only gets permissions)Data labeling, e.g. secret, classified etc.Mandatory access control, so that individuals are unable tooverrun certain security decisions made by an admin (e.g.chmod 777 $HOME is always possible)Capabilities are supported by only a small subset ofUNIX-like operating systems (e.g. Linux with kernel versionsabove 2.4.19)Standardized auditing
Microsoft Windows Family Tree
Key security milestones:
NT 3.51 (1993): network drivers and TCP/IP
Windows 2000: Active Directory, Kerberos, security architecture.
Server 2003: security policies, LAN and wireless security
Vista (2007): no “admin-by-default”, firewall, DEP, ASLR
64-bit versions (Vista+): mandatory kernel code signing
Security components of Windows OS
Kernel mode:Security Reference Monitor: ACL verification
User mode:Log-on process (winlogon): user logonLocal Security Authority (LSA): password verification andchange, access tokens, audit logs (MS04-11 buffer overflow:Sasser worm!)Security Accounts Manager (SAM): accounts database,password encryptionUser Account Control (UAC, Vista): enforcement of limited userprivileges
Windows registry
A hierarchical database containing critical systeminformationKey-value pairs, subkeys, 11 values typesA registry hive is a group of keys, subkeys, and valuesSecurity-related registry hives:
HKEY_LOCAL_MACHINE\SAM: SAM databaseHKEY_LOCAL_MACHINE\Security: security logs, etcHKEY_LOCAL_MACHINE\Software: paths to programs!
Security risks:manipulated registry entriesmissing security-related registry keys
Windows domains
A domain is a collection of machinessharing user accounts and securitypolicies.Domain authentication is carried outby a domain controller (DC).To avoid a single point of failure, aDC may be replicated
Active directory
Active directory introduced in Windows 2000 is an LDAP-likedirectory service for organization of system resources:
Users and groupsSecurity credentials and certificatesSystem resources (desktops, servers, printers)Security policiesDNS serviceTrust management
Access control in Windows
Access control is applied to objects: files, registry keys andhives, Active Directory objects.More than just access control on files!Various means exist for expressing security policies:
groupsrolesownership and inheritance rulescomplex access rights
Principals
Principals are active entities in security policiesPrincipals can be
local usersaliasesdomain users
groupsmachines
Principals have a human readable user name and a uniquesecurity identifier (SID)Local principals are created by a LSA, e.g.
principal = MACHINE\principal
Domain principals are administered by DC, e.g.principal@domain = DOMAIN\principal
Security identifiers
A security identifier (SID) is a unique, machine generatedcode of varying length used to identify principals.Format: S-1-IA-SA-SA-SA-N, where
IA (identifier authority): characterizes an issuer, e.g. WorldAuthority (1) or Local Authority (2)SA (subauthority): identifies a specific SID issuer, e.g. a domaincontrollerN: relative identifier, unique for each authority
Examples:Everyone (World): S-1-1-0System: S-1-5-18Administrator: S-1-5-21-<domain>-500
Principals used for access control
SID: an individual principalGroup: a collection of principals managed by DC; groupshave their own SIDs and can be nestedAlias: a local group managed by LSA; cannot be nestedAliases implement logical roles: an application may definean alias to which SIDs are assigned at run-time
Subjects
Subjects are active entities in OS primitives.Windows subjects are processes and threads.Security credentials for a subject are stored in a token.Tokens provide a principal/subject mapping and may containadditional security attributes.Tokens are inherited (possibly with restrictions) duringcreation of new processes.
Token contents
Identity and authorisation contentsuser SID, group SIDs, alias SIDsprivileges
Defaults for new securable objectsowner SID, group SID, DACL
Miscellaneous attributeslogon SID
Privileges
A set of fixed privileges is defined by numeric constants inWinnt.hPrivileges control access to system resources.Example privileges:
load or unload a device driverlock a page in a physical memorycreate a computer accountshut down a systemmodify a system time
Privileges are not access rights!
Objects
Objects represent various passive OS entitiesExample Windows objects:
files or directoriespipesprocesses and threadsfile mappingsaccess tokenswindow-managementobjects
registry keysprintersnetwork sharessynchronization objectsjob objectsActive Directory objects
Security of built-in objects is managed by OSSecurity of private objects must be managed by applicationsSecurable objects are equipped with a security descriptor
Security descriptor
Owner: a principal who owns an objectPrimary group: for POSIX compatibilityDACL: specifies who is granted and who is denied accessSACL: specifies a security audit policy
Access rights: an overview
Describe what one can do to an objectEncoded as a 32-bit maskStandard access rights (bits 16–23) are common to mostobject types
DELETEREAD_CONTROL: read object’s security descriptorSYNCHRONIZE: use object for synchronization (not all objects)WRITE_DAC: change object’s DACLWRITE_OWNER: change object’s owner
Object-specific rights (bits 0–15) are tailored to each class ofobjectsExtended rights can be specified for Active Directory entries.
Generic access rights
The highest 4 bits (28–31) represent generic access rights:GENERIC_READGENERIC_WRITEGENERIC_EXECUTEGENERIC_ALL
Each class of objects maps its generic rights toobject-specific rights.Generic rights are used to simplify design: they provide anintermediate description level for access rights.
ACLs in Windows
DACL in a security descriptor is a list of Access ControlEntries (ACE)ACE format:
ACE type: positive or negative permissionsPrincipal SIDAccess rights maskInheritance flags
ACEs are processed sequentially until either some entrydenies all requested access rights or a set of ACEs grantsall requested access rights
ACE matching algorithm
For any objects that do not have DACL, access is always granted.For all other objects, the subject’s token is compared sequentiallywith each ACE as follows:
ACE does not contain a matching SID: skip and continue.SID matches and contains a negative permission: denyaccess and stop.SID matches and contains a positive permission:
if accumulated access rights match access mask, grand accessand stop.otherwise add ACE to the accumulated access rights andcontinue.
Summary: UNIX vs. Windows
Windows has more security features:Fine-grained access control via ACLsAutomatically generated security identifiersSecure storage of user credentialsActive directory and trust management
Windows has a long tradition of excessive superuserprivileges.Complex security features in Windows coupled withclosed-source implementation lead to potential insecuritydue to misconfiguration.
Summary: UNIX vs. Windows
Windows has more security features:Fine-grained access control via ACLsAutomatically generated security identifiersSecure storage of user credentialsActive directory and trust management
Windows has a long tradition of excessive superuserprivileges.Complex security features in Windows coupled withclosed-source implementation lead to potential insecuritydue to misconfiguration.
Summary: UNIX vs. Windows
Windows has more security features:Fine-grained access control via ACLsAutomatically generated security identifiersSecure storage of user credentialsActive directory and trust management
Windows has a long tradition of excessive superuserprivileges.
Complex security features in Windows coupled withclosed-source implementation lead to potential insecuritydue to misconfiguration.
Summary: UNIX vs. Windows
Windows has more security features:Fine-grained access control via ACLsAutomatically generated security identifiersSecure storage of user credentialsActive directory and trust management
Windows has a long tradition of excessive superuserprivileges.Complex security features in Windows coupled withclosed-source implementation lead to potential insecuritydue to misconfiguration.