OS Notes

Information about OS Notes

Published on June 19, 2007

Author: Belly

Source: authorstream.com

Content

Operating System Security:  Operating System Security Susan Hinrichs Cyber Security Spring 2006 Outline:  Outline Unix/Linux Access Control Users and groups File system controls Windows NT/XP Security Executive Access tokens Security descriptors ACLs Windows Vista Security additions Unix Reading Material:  Unix Reading Material Man pages Groups, newgroup Chmod, chown, chgrp Unix and Security: The Influences of History ftp://coast.cs.purdue.edu/pub/doc/misc/spaf-influences-of-history.ps.Z Basic Unix Security Model:  Basic Unix Security Model User authenticated on logon User ID associated with process Default Group ID associated with process Default Process listed in passwd file Groups defined in /etc/groups Set of users listed with each group definition User can be member of multiple groups Shadow Files:  Shadow Files /etc/passwords and /etc/group must be readable by everyone Both files contain crypt’ed passwords Access enable offline attacks Add shadow versions of each file Password obscured in passwords and group Stored in more restricted shadow versions of these files Unix Access Control:  Unix Access Control Three permission octets associated with each file and directory Owner, group, and other Read, write, execute For each file/directory Can specify RWX permissions for one owner, one group, and one other Unix Access Check:  Unix Access Check First test effective user ID against owner If match, then use owner rights Then test all groups user is a member of against group If match, then use group rights Otherwise, use other rights Can view as rwx, or a value from 0-7 E.g. rx = 5 and rw = 6 Constraining Control of New Objects:  Constraining Control of New Objects Umask can be set to constrain allowed access on new objects created by user Expressed as a 3 octet mask E.g. 0022 Inverse of umask anded by requested access for new object E.g. open requests 0666 (read and write for all) 0666 andamp; ~0022 = 0666 andamp; 755 = 644 Other Bits:  Other Bits Set UID and Set GUID bits When set, the process created by executing file takes on user ID or group ID associated with file Sticky bit On directories, prevents anyone but owner of file removing file in directory File System Extensions:  File System Extensions Ext2 extra attributes a – append only c – compressed s – secure deletion u – undeletable i - immutable Unix Security Problems:  Unix Security Problems Created as a subset of more complete Multics model Expedient at the time Limits modern expressibility Security evolved over 30 years Inconsistencies Early evolution occurred in open university environments Encourages bad habits Windows Reading Material:  Windows Reading Material Inside Windows NT, Helen Custer Chapter 3 section 3 Windows NT Security in Theory and Practice Vista Security Features http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx NT Security Model:  NT Security Model Ultimately NT security controls access and auditing Implements the standard subject/object security model Designed into NT. Implemented a security constrained executive Controls applied to core OS objects like processes and sockets in addition to the more tradition file system elements (NTFS) Everything that can be named is an object All objects can have same security controls applied NT Security Elements:  NT Security Elements Subject – Process or thread running on behalf of the system or an authenticated user Security ID (SID) – A globally unique ID that refers to the subject (user or group) Access token – the runtime credentials of the subject Privilege – ability held by the subject to perform 'system' operations. Usually breaks the standard security model Associated with the access token Generally disabled by default. Can be enabled and disabled to run at least privilege Example powerful privileges SeAssignPrimaryTokenPrivilege – Replace process token SeBackupPrivilege – Ignore file system restrictions to backup and restore SeIncreaseQuotaPrivilege - Add to the memory quota for a process SeTcbPrivilege – Run as part of the OS Windows User/Group Definitions:  Windows User/Group Definitions Control Panel/Computer Management Contains the User/Group definition Control Panel/Local Security Settings Under user rights Lets the user associate users and groups with privileges Access Token:  Access Token Example subject:  Example subject AccessToken sid=123456 Privileges=SeBackup/disabled SeTcb/disabled Amer/shinrich Authentication Exchange Domain Controller DB of users SID and privs More security elements:  More security elements Object – Individually secured entity such as a file, pipe, or even a process Rights – actions associated between object and subject. Read, write, execute, audit Access control list (ACL) Associated with an object Ordered list Each access control entry (ACE) contains a subject and a right Evaluated by the security subsystem to determine access to protected objects. Discretionary ACLs control access System ACLs control audit Access Control List:  Access Control List Still more security elements:  Still more security elements Security Descriptor – represents an object in the system. Contains the following information: Object’s owner Object’s group Object’s DACL Object’s SACL AccessCheck evaluates an ACL, subject, object triple Called by many system calls Can be called from user code too Security Descriptor:  Security Descriptor Example ACL:  Example ACL \mydocs\hw1.doc Security Descriptor: sid=123456 gid=78910 DACL= SACL=null SID=Everyone:read SID=123456:read,write SID=22222:deny SID=Everyone:read SID=123456:read,write Example Evaluation:  Example Evaluation Working with ACLs:  Working with ACLs Accessed via FileExplorer. Right-click file/directory an select sharing and security. Can programmatically create and traverse ACL’s See MSDN for details SACL controls auditing:  SACL controls auditing In addition to DACL that controls access, each object has a SACL to control auditing Process access token is compared to SACL to determine whether to log Also enabled by local policy Windows Security Problems:  Windows Security Problems Kernel level security model is reasonable More consistent and complete than Unix So why do Windows installations have so many security problems? Unix evolved from a multi-user environment Windows came from a single user, stand alone environment Kernel provides least privilege and fine granularity control, Windows users and app writers did not know how to use Vista Security Additions:  Vista Security Additions As far as I can tell, the core security mechanisms are unchanged Important changes in user and service mode Make it easier to run at low privilege Additional features Host intrusion detection Firewall improvements Network quarentine User Account Protection:  User Account Protection Enable non-privileged users to perform many operations that require privilege today Add printer, update WEP keys Prompt user to activity privileged account if privilege is needed Registry and file virtualization Sandboxes unprivileged users Windows Service Hardening:  Windows Service Hardening In XP, most services are run as high privilege LOCAL SYSTEM Can run as other user Awkward to install because must create unprivileged user and prompt user to create password etc. This create a SID for each service Like an unprivileged user that cannot login Data Protection:  Data Protection Uses secure co-processor, Trusted Platform Module, that is included with many of today’s laptops Use to implement Secure Startup Detects changes to system on reboot Protects from making changes to system made by mounting system from other OS Network Access Protection:  Network Access Protection Network quarantine Places restrictions on the characteristics of a computer that can connect to the network For example can connect to the network only if the patches are up to date Summary:  Summary Standard operating systems security elements Unix shows security has been available for many decades Windows shows security underpinnings exist in widely used OS perceived to be insecure Vista security changes make it easier to use existing security mechanisms Security is continuing to evolve

Related presentations


Other presentations created by Belly

Capital budgeting
28. 04. 2008
0 views

Capital budgeting

Nice pics slides
17. 09. 2007
0 views

Nice pics slides

perceptron 2 4 2008
30. 04. 2008
0 views

perceptron 2 4 2008

pham07
18. 04. 2008
0 views

pham07

FC STONE GREAT WALL1
17. 04. 2008
0 views

FC STONE GREAT WALL1

Sauter Nuts Bolt ETFs
16. 04. 2008
0 views

Sauter Nuts Bolt ETFs

UnivOfGuelphNov26th
14. 04. 2008
0 views

UnivOfGuelphNov26th

fujiwara
13. 04. 2008
0 views

fujiwara

Week 08 Finance
10. 04. 2008
0 views

Week 08 Finance

Lct1
09. 04. 2008
0 views

Lct1

outlook
19. 06. 2007
0 views

outlook

Microsoft Windows Vista
19. 06. 2007
0 views

Microsoft Windows Vista

2004 presentation
13. 09. 2007
0 views

2004 presentation

Australian
13. 09. 2007
0 views

Australian

NBB
13. 09. 2007
0 views

NBB

Thilo Ewald ppt
13. 09. 2007
0 views

Thilo Ewald ppt

20031216 NASANIH presentation
05. 10. 2007
0 views

20031216 NASANIH presentation

mna presentation
17. 10. 2007
0 views

mna presentation

lect29 groupwords
18. 10. 2007
0 views

lect29 groupwords

Essential Q Imperialism 2
22. 10. 2007
0 views

Essential Q Imperialism 2

p puska
07. 09. 2007
0 views

p puska

Productivity
07. 09. 2007
0 views

Productivity

honeyPots
13. 09. 2007
0 views

honeyPots

NDB Bensouda
23. 10. 2007
0 views

NDB Bensouda

181105
24. 10. 2007
0 views

181105

METO200Lect19 20
05. 10. 2007
0 views

METO200Lect19 20

oksupercompsymp2006 talk matrow
17. 10. 2007
0 views

oksupercompsymp2006 talk matrow

mareyes
25. 10. 2007
0 views

mareyes

2 01 3
29. 10. 2007
0 views

2 01 3

Online Class Evaluations 8
30. 10. 2007
0 views

Online Class Evaluations 8

1 3Grand father Journey
02. 11. 2007
0 views

1 3Grand father Journey

TuijaKuisma
07. 09. 2007
0 views

TuijaKuisma

Metallsektor
14. 11. 2007
0 views

Metallsektor

insects in out
13. 09. 2007
0 views

insects in out

oasen
16. 11. 2007
0 views

oasen

Unit 10 Scent Theory
17. 11. 2007
0 views

Unit 10 Scent Theory

SPEAR 2004
21. 11. 2007
0 views

SPEAR 2004

danse macabre
22. 11. 2007
0 views

danse macabre

kmutt
13. 09. 2007
0 views

kmutt

NCUR SDT 4 19 05
04. 01. 2008
0 views

NCUR SDT 4 19 05

gerber colloq UICtop feb2002
15. 10. 2007
0 views

gerber colloq UICtop feb2002

Lioi Altered Version
07. 01. 2008
0 views

Lioi Altered Version

Five Halloween Pumpkins audacity
02. 11. 2007
0 views

Five Halloween Pumpkins audacity

smime
07. 10. 2007
0 views

smime

CdF BEC
20. 11. 2007
0 views

CdF BEC

WEB C Schumacher
23. 10. 2007
0 views

WEB C Schumacher

bsb
13. 09. 2007
0 views

bsb

2006052213550876705
03. 01. 2008
0 views

2006052213550876705

1 11
19. 02. 2008
0 views

1 11

Ukraine
20. 02. 2008
0 views

Ukraine

truck tmp1002
27. 02. 2008
0 views

truck tmp1002

ace program plan
29. 02. 2008
0 views

ace program plan

takala
07. 09. 2007
0 views

takala

464 TM12
14. 12. 2007
0 views

464 TM12

ICEBP presentation for ANZCP A
10. 03. 2008
0 views

ICEBP presentation for ANZCP A

aionescu cmc dec06
30. 10. 2007
0 views

aionescu cmc dec06

creationtalk
11. 03. 2008
0 views

creationtalk

Data Mining 2
12. 03. 2008
0 views

Data Mining 2

Omaha Pres for NAP web2
29. 12. 2007
0 views

Omaha Pres for NAP web2

sustainable development part1
26. 03. 2008
0 views

sustainable development part1

Schrage
31. 08. 2007
0 views

Schrage

IHYJP Kickoff Poster
09. 10. 2007
0 views

IHYJP Kickoff Poster

020703 DHCAL
31. 08. 2007
0 views

020703 DHCAL

Vimpel Com
31. 08. 2007
0 views

Vimpel Com

Overland vista uib itforum
19. 06. 2007
0 views

Overland vista uib itforum

NVIDIA OpenGL on Vista
19. 06. 2007
0 views

NVIDIA OpenGL on Vista

NonAdmin Pilot
19. 06. 2007
0 views

NonAdmin Pilot

New Mexico NETUG WPF
19. 06. 2007
0 views

New Mexico NETUG WPF

nercomp SIG
19. 06. 2007
0 views

nercomp SIG

MSAM Launch Vista Final Updated
19. 06. 2007
0 views

MSAM Launch Vista Final Updated

MOSS WF Talk
19. 06. 2007
0 views

MOSS WF Talk

More Online Games
19. 06. 2007
0 views

More Online Games

MHay Wireless
19. 06. 2007
0 views

MHay Wireless

Marl WSUS3
19. 06. 2007
0 views

Marl WSUS3

mail list news
19. 06. 2007
0 views

mail list news

Lenovo UofU
19. 06. 2007
0 views

Lenovo UofU

Lecture II
19. 06. 2007
0 views

Lecture II

Smith F09
13. 10. 2007
0 views

Smith F09

35508
26. 02. 2008
0 views

35508

pinar
19. 06. 2007
0 views

pinar

pgp
19. 06. 2007
0 views

pgp

pessner
19. 06. 2007
0 views

pessner

Overview Presentation
19. 06. 2007
0 views

Overview Presentation

North Dakota Annuity Deck
19. 06. 2007
0 views

North Dakota Annuity Deck

Rutland Presentation plenary4
31. 08. 2007
0 views

Rutland Presentation plenary4

NAMI NC 112707
07. 01. 2008
0 views

NAMI NC 112707

finland poster
07. 09. 2007
0 views

finland poster

sample
27. 09. 2007
0 views

sample

dtk
13. 09. 2007
0 views

dtk

Phenotyping Oxford
17. 10. 2007
0 views

Phenotyping Oxford

dog breeding
19. 11. 2007
0 views

dog breeding

5th trondhiem
29. 11. 2007
0 views

5th trondhiem

policies regs
28. 12. 2007
0 views

policies regs

GetuHailu
13. 09. 2007
0 views

GetuHailu

genealogy
01. 10. 2007
0 views

genealogy

net info 050928
19. 06. 2007
0 views

net info 050928

chap7
15. 10. 2007
0 views

chap7

Rafael Guillen CCAD SIAM mar06
22. 10. 2007
0 views

Rafael Guillen CCAD SIAM mar06

na3 Russia
31. 08. 2007
0 views

na3 Russia

Sois Global Programs3 12 04
31. 08. 2007
0 views

Sois Global Programs3 12 04

sacha
31. 08. 2007
0 views

sacha

amm pres valdez lacnic
22. 10. 2007
0 views

amm pres valdez lacnic

nwnt
19. 06. 2007
0 views

nwnt

STAR shielding 2
13. 11. 2007
0 views

STAR shielding 2

voiceline overview
17. 10. 2007
0 views

voiceline overview

gross PPT
07. 04. 2008
0 views

gross PPT

WP1a
15. 10. 2007
0 views

WP1a

Microarray Data Standard
07. 11. 2007
0 views

Microarray Data Standard

Lim Badejo Dell Presentation 1
19. 06. 2007
0 views

Lim Badejo Dell Presentation 1

HongKong Punkka Salo
07. 09. 2007
0 views

HongKong Punkka Salo

Dvoretsky
31. 08. 2007
0 views

Dvoretsky

qm1 web
03. 01. 2008
0 views

qm1 web

IAPS
07. 09. 2007
0 views

IAPS

yalestudy
28. 09. 2007
0 views

yalestudy

digvlsideslec1
12. 10. 2007
0 views

digvlsideslec1

mead
13. 09. 2007
0 views

mead

bashmakov
31. 08. 2007
0 views

bashmakov