iit indore © neminah hubballi operating system security dr. neminath hubballi

IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi

Operating System Operating System SecuritySecurity

Dr. Neminath HubballiDr. Neminath Hubballi


OutlineOutline

Functions of Operating SystemFunctions of Operating System Security concerns in OSSecurity concerns in OS Process securityProcess security File SecurityFile Security Booting security Booting security Hibernation securityHibernation security Password based securityPassword based security Event log management in windowsEvent log management in windows


Functions of Operating SystemFunctions of Operating System

Is a mediator between user applications Is a mediator between user applications and hardwareand hardware

Handles lot many complex tasksHandles lot many complex tasks Memory managementMemory management Process management Process management Handling deadlocksHandling deadlocks File system supportFile system support MultitaskingMultitasking Multi user supportMulti user support


What Can Go Wrong ?What Can Go Wrong ?

Consider a situation where there is shortage of systems Consider a situation where there is shortage of systems in school of CSE IITIin school of CSE IITI

If you are asked to share same PC with your peersIf you are asked to share same PC with your peers What do you want to do What do you want to do

Users have different level of accessUsers have different level of access Based on roleBased on role

Multiple users and multi tasking requires a level of Multiple users and multi tasking requires a level of protection protection One user from interfering other usersOne user from interfering other users One program from interfering other usersOne program from interfering other users

Sharing of resources Sharing of resources Optimization Optimization


Organization of Computer Organization of Computer Hardware and SoftwareHardware and Software

HardwareHardware Many devicesMany devices Each device has a driverEach device has a driver Provides APIs to accessProvides APIs to access

KernelKernel Heart of OSHeart of OS Manages the low level h/w Manages the low level h/w

resourcesresources Non essential component of OSNon essential component of OS

Printing programPrinting program User applicationUser application

Access the service provided by OSAccess the service provided by OS System callsSystem calls

User Applications

Non Essential OS Applications

OS Kernel

Hardware


ProcessProcess Kernel defines the notion of a processKernel defines the notion of a process Programs are stored in persistent storagePrograms are stored in persistent storage Can multiple copies of same program run simultaneously Can multiple copies of same program run simultaneously

?? Time slicing Time slicing Process treeProcess tree Fork system callFork system call

Parent and childParent and child Peers Peers

In Linux system init is the root of process treeIn Linux system init is the root of process tree Meaning all other processes are created by itMeaning all other processes are created by it Its PID is 0Its PID is 0


Process Tree DiagramProcess Tree Diagram


Process PrivilegesProcess Privileges

To grant appropriate access restrictions on the process To grant appropriate access restrictions on the process operating system associates privilege information to a operating system associates privilege information to a processprocess

This privilege is same as privilege of user who is running This privilege is same as privilege of user who is running the processthe process

Each process has a user id called Each process has a user id called uid, uid, group id group id gidgid The The uid uid is a number between 0 to 32767 which uniquely is a number between 0 to 32767 which uniquely

identifies each user identifies each user Typically Typically uid uid 0 is assigned to the root user 0 is assigned to the root user Similarly Similarly gid gid is also a number in the same rangeis also a number in the same range Effective user id Effective user id eid eid is the user id whose privileges are is the user id whose privileges are

used to access a resourceused to access a resource


File Ownership and PermissionsFile Ownership and Permissions

Permissions:Permissions: Assigned to each file/directory Assigned to each file/directory

Provides securityProvides security Ability to manage users and their filesAbility to manage users and their files..

Needed to access file/directoryNeeded to access file/directory Usually granted to groupsUsually granted to groups

In multi-user operating systems like Linux, access is given In multi-user operating systems like Linux, access is given only to authorized users only to authorized users

Super (root) user:Super (root) user: Has special privileges –Has special privileges –

In a sense owns everythingIn a sense owns everything Can change file ownerships Can change file ownerships Bypass permissions that owner of file may have setBypass permissions that owner of file may have set Uses root account to provide administrative functionsUses root account to provide administrative functions


File Ownership and PermissionsFile Ownership and Permissions

Unix systems treat everything as a file Unix systems treat everything as a file Special filesSpecial files

Devices- a piece of hardware either part of system or an Devices- a piece of hardware either part of system or an external unitexternal unit

Sockets- a means of communicating with other processes Sockets- a means of communicating with other processes

Permissions can be of Permissions can be of ReadRead Write and Write and Execute Execute

File systemFile system ext 2 and ext 3 – permissions applyext 2 and ext 3 – permissions apply FAT – no means of ownership FAT – no means of ownership


Sticky Bit in UnixSticky Bit in Unix Sticky Bit: Mainly used to avoid some other user deleting a file Sticky Bit: Mainly used to avoid some other user deleting a file

though she has a write permission on the folderthough she has a write permission on the folder If Sticky bit is enabled on a folder, the folder contents are deleted by If Sticky bit is enabled on a folder, the folder contents are deleted by

only owner who created them and the root user.only owner who created them and the root user. This is a security measure to avoid deletion of critical folders and This is a security measure to avoid deletion of critical folders and

their content(sub-folders and files), though other users have full their content(sub-folders and files), though other users have full permissions.permissions.

Setting sticky bitSetting sticky bit chmod +t /opt/dump/chmod +t /opt/dump/

+t indicates sticky bit setting\+t indicates sticky bit setting\ Check sticky bitCheck sticky bit

ls –l : a t will appear in the listing ls –l : a t will appear in the listing Revoking sticky bitRevoking sticky bit

Chmod -t /opt/dump/Chmod -t /opt/dump/


Memory ManagementMemory Management

Process granularityProcess granularity Each process upon creation is allocated some Each process upon creation is allocated some

memory called as address spacememory called as address space This memory is organized in segmentsThis memory is organized in segments

.text, .data, .bss, and heap and stack segments.text, .data, .bss, and heap and stack segments Each segment has its own access permissionsEach segment has its own access permissions

Readable, writable and executableReadable, writable and executable Operating system protects one process from other by Operating system protects one process from other by

not allowing access to others address spacenot allowing access to others address space Global granularityGlobal granularity

Kernel address spaceKernel address space User address space User address space


Booting Sequence and SecurityBooting Sequence and Security

Typical booting sequence isTypical booting sequence is

BIOS

Secondary Boot Loader

Operating System

There is a chain of trust in booting process

An attacker can subvert booting process by altering or modifying something in any of these components

In order to protect system from such changes most systems have a BIOS password


Hibernation and SecurityHibernation and Security

Hibernation is a concept of saving state of system into Hibernation is a concept of saving state of system into disk disk Typically in a file state information is storedTypically in a file state information is stored Entire main memory is copied into a file (in a compressed Entire main memory is copied into a file (in a compressed

format)format)

Since entire state is copied onto diskSince entire state is copied onto disk All passwords and other sensitive information carry danger of All passwords and other sensitive information carry danger of

being exposedbeing exposed

Researchers have shown the feasibility of extracting Researchers have shown the feasibility of extracting such information by mounting a live CD attacksuch information by mounting a live CD attack

On a windows machine state is stored in a file c:\On a windows machine state is stored in a file c:\hiberfil.syshiberfil.sys


Password and User Account Password and User Account Management in Operating System Management in Operating System

Naive approachNaive approach Create a file password where all users passwords are storedCreate a file password where all users passwords are stored

Neminath : pass156Neminath : pass156 Gourinath : test234Gourinath : test234 Somnath : temp123Somnath : temp123

Save the file password in a place in the systemSave the file password in a place in the system What if a thief gets access to this file ?What if a thief gets access to this file ?

All user accounts are compromised All user accounts are compromised What can we do to prevent it ?What can we do to prevent it ?

Encrypt the file containing password fileEncrypt the file containing password file Seems a good idea but not enough Seems a good idea but not enough There is a key used to encrypt the file There is a key used to encrypt the file How does the OS verifies the password ?How does the OS verifies the password ? Key needs to be somewhere in the systemKey needs to be somewhere in the system Key needs to be storedKey needs to be stored If file containing password can be stolen key also can be stolen If file containing password can be stolen key also can be stolen Use one way hashing and salting – most flavors of unix systems use this methodUse one way hashing and salting – most flavors of unix systems use this method



One way hashing is a function One way hashing is a function f f Characteristic of this function is Characteristic of this function is

when supplied when supplied xx computes computes f(x) f(x) easily easily But inverse is extremely complex i.e., given But inverse is extremely complex i.e., given f(x) f(x) it is difficult to calculate it is difficult to calculate

x. x. An exampleAn example

Convert all the characters into their ASCII values and XOR them Convert all the characters into their ASCII values and XOR them Resultant is a small number derived out of Resultant is a small number derived out of XOR XOR operation operation Store the hash value in password fileStore the hash value in password file Note we do not store the password anywhere Note we do not store the password anywhere

The idea is make it impossible to guess the password even if hash The idea is make it impossible to guess the password even if hash value is known value is known

Now the password file looks like Now the password file looks like Neminath : a12hfNeminath : a12hf Gourinath : b4a2eGourinath : b4a2e Somanath : d34efSomanath : d34ef



From a thief's perspective From a thief's perspective She can start guessing passwords one by one and She can start guessing passwords one by one and

compare it to the hash values in password filecompare it to the hash values in password file She needs to know which hash function to useShe needs to know which hash function to use There are only handful of good one-way hash There are only handful of good one-way hash

functions implemented functions implemented So its easy to guess one or find out one So its easy to guess one or find out one Using a table called rainbow table (which is a list of Using a table called rainbow table (which is a list of

common pre-computed password hashes )it is easy common pre-computed password hashes )it is easy to break itto break it

Even if one user uses a weak password which Even if one user uses a weak password which maches with that of dictionary system security is maches with that of dictionary system security is compromisedcompromised

This is addressed through a technique called as This is addressed through a technique called as salting salting



SaltingSalting Do not hash passwords as it is add something to it Do not hash passwords as it is add something to it

and then hash and then hash Unix system uses an additional 12 bit number to hash Unix system uses an additional 12 bit number to hash

passwordpassword How to chose value of saltHow to chose value of salt

Deterministic across the users: not a good idea !Deterministic across the users: not a good idea ! Unique for each user : sounds good but how to get a unique Unique for each user : sounds good but how to get a unique

oneone Take the current timestamp of system and divide with a Take the current timestamp of system and divide with a

predetermined number to get a 12 bit remained use it as a predetermined number to get a 12 bit remained use it as a salt. salt.

Meta data as salt : use the birthday or PAN number of user Meta data as salt : use the birthday or PAN number of user as saltas salt


Unix Password ManagementUnix Password Management A file in the directory /etc/passwd stores the Unix A file in the directory /etc/passwd stores the Unix

users passwordusers password Unix password is hashed and saltedUnix password is hashed and salted Salting and hashing effectively increase the amount of Salting and hashing effectively increase the amount of

work done to break into the target system work done to break into the target system Algorithm Algorithm

Take the first 8 ASCI characters of the user password and Take the first 8 ASCI characters of the user password and encrypt a 64 bit constant character consisting of all 0’s encrypt a 64 bit constant character consisting of all 0’s

If the user password is less than 8 characters suitably pad If the user password is less than 8 characters suitably pad it to make it 56 bits it to make it 56 bits

Encrypt the 64 bit length 0’s 25 times with DES using user Encrypt the 64 bit length 0’s 25 times with DES using user password as key password as key

Resultant encrypted version is stored in the file Resultant encrypted version is stored in the file


Windows Event LoggingWindows Event Logging


Windows Event LogsWindows Event Logs Types of LogsTypes of Logs

Application logs : events from applications Application logs : events from applications Security logs : login and logout details, failed Security logs : login and logout details, failed

loginslogins System logs: events from system components\System logs: events from system components\

The event header containsThe event header contains Date and timeDate and time User and ComputerUser and Computer Event ID Event ID Level Level Source Source Category Category


Windows Event LogsWindows Event Logs

Types of EventsTypes of Events InformationInformation : Normally indicates successful : Normally indicates successful

operation of somethingoperation of something WarningWarning: Indicates not a severe issue but in : Indicates not a severe issue but in

future it may be troublesome future it may be troublesome ErrorError: Describes a significant problem : Describes a significant problem Success Audit (Security log) Success Audit (Security log) :: When a user When a user

successfully logs into systemsuccessfully logs into system Failure Audit (Security log) Failure Audit (Security log) : A failed login : A failed login

attemptattempt


An ExampleAn Example


An ExampleAn Example LevelLevel time and daytime and day source event id task categorysource event id task category WarningWarning 12/6/2013 12:34:21 PM12/6/2013 12:34:21 PM TcpipTcpip 42284228

NoneNone Details: TCP/IP has chosen to restrict the scale factor due to Details: TCP/IP has chosen to restrict the scale factor due to

a network condition. This could be related to a problem in a a network condition. This could be related to a problem in a network device and will cause degraded throughput.network device and will cause degraded throughput.

Issue is related to communicationIssue is related to communication Scale factor is related to receive window sizeScale factor is related to receive window size By using the window scale option, the receive window size By using the window scale option, the receive window size

may be increased up to a maximum value of 1,073,725,440 may be increased up to a maximum value of 1,073,725,440 bytes. This is done by specifying a one byte shift count in the bytes. This is done by specifying a one byte shift count in the header options field.header options field.

The true receive window size is left shifted by the value in The true receive window size is left shifted by the value in shift count. A maximum value of 14 may be used for the shift shift count. A maximum value of 14 may be used for the shift count value.count value.


Logging at Many Places Logging at Many Places

Windows event logsWindows event logs Antivirus programsAntivirus programs FirewallsFirewalls Radius serverRadius server DHCP serverDHCP server IDS and IPS ……..IDS and IPS ……..


Event Correlation Event Correlation

Courtesy: SANS Analyst Program Document


Sequence of EventsSequence of Events

Courtesy: SANS Analyst Program Document

iit indore © neminah hubballi operating system security dr. neminath hubballi

Documents