inse 6130 operating system security - …users.encs.concordia.ca/home/w/wang/lecture/lecture/...inse...
TRANSCRIPT
The ProblemThe Problem
All security controls are initiated by ... what?h b k l/b /h d ?Why are we so sure about our kernel/bios/hardware?
What if we were insecure from the very beginning?
Network Service Security
Access ControlAccess Control
Authentication
Auditing and Logging
3
Recall the “Smartest Hack of All Time”Recall the Smartest Hack of All Time
Ken Thompson, in his 1983 Turing Award lecture, admitted a back door he created in early UNIX versionsadmitted a back door he created in early UNIX versions
CompilerClean Source of Compiler
UNIXClean Source of UNIX
If you start insecure, you always end up insecure
Kenneth Thompson and Dennis Ritchie
4
OS Boot ProcessOS Boot Process
Problem: many things could already go wrong beforealready go wrong before your OS security controls can ever come into effect!
Operating System
User Programs
Operating System
(security control)
Expanded ROMsBoot Block (MBR,GRUB)
BIOS
5
POST
Solution: AEGIS ArchitectureSolution: AEGIS Architecture
User ProgramsEach level needs to verify its upper level’s integrity
Level 5
Operating System
its upper level s integrity before the control is passed
Level 0 is secureLevel 4
Boot Block (MBR,GRUB)We assume it is
If level i can ensure level i+1 is secure, then all levels will b ( i l
Level 3
Expanded ROMsbe secure (a simple mathematical induction)
Level 2
BIOS section1
BIOS section2
AEGIS ROM
Level 1
6
POSTtrustedLevel 0
Integrity ChainingIntegrity Chaining
How does level i ensures integrity of level i+1 ?l d l f l lLevel i stores a digital signature of level i+1
What if this signature is altered?Th i t i t f l l iThe signature is part of level iSo level i-1 will detect the modification
d d
BIOS section2
Expanded ROMsExpanded ROMs
BIOS section1AEGIS ROM
7POST
BIOS section1AEGIS ROM
trusted
What If The Check Fails?What If The Check Fails?
The boot process will be terminated if a check f il t l lfails at any level
Good for integrity, bad for availability
Recovery mechanismsRecovery mechanismsThe system will boot into a small recovery kernel in ROM (like safe mode of OS)ROM (like safe mode of OS)Then recover either from ROM cards or from network hosts
Again, why can we trust what we trust?Bottom line: hacking hardware is more difficult than
8
ghacking software
BackgroundBackgroundExtending the ideas of AEGISTCG (T t d C ti G )TCG (Trusted Computing Group)
Industry standards body w/ 135 members including component vendors, software developers, systems p , p , yvendors and network and infrastructure companies, e.g., AMD, HP, IBM, Intel, Lenovo, Microsoft, Sun
Key componentKey componentTPM (Trusted Platform Module) chipRoughly the AEGIS ROM rolegShipped in hardware: Thinkpad, Lifebook, etc.Supported by software: Windows Vista, Trusted GRUB etc
10
etc.
What Else Can Be AchievedWhat Else Can Be Achieved
Besides ensuring the integrity of booting process?Encrypted partitions
Offline security (stolen laptops): only verified software can decrypt the partitionscan decrypt the partitionsEase data deletion/machine recycling: just change TPM to remove the decryption keyyp y
13
“Any Problem in Computer Science Can Be Solved with A th L f I di ti (Ab t ti )”Another Layer of Indirection (Abstraction)”
ISO/OSI model vs TCP/IP suite
Application layer
Presentation layer
Application layer HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTPPresentation layer
Session layer
l
,BitTorrent, …
TCP UDP RTP SSLTransport layer
Network layer
Transport layer
Internet layer
TCP, UDP, RTP… SSL
IPv4, IPv6 … IPSEC
Data link layer
Physical layer
Data link layer
Physical layer
Ethernet, Wi-Fi, Token ring, FDDI,PPP…
RS-232, 10BASE-T, …
16
y y y y , ,
Network ModelNetwork Model(Conceptual/physical) communications
Application layerApplication layerApplication layer Application layerApplication layer
Presentation layer
Session layer
Application layer
Presentation layer
Session layer
Transport layer
Internet layer
Session layer
Transport layer
Network layer
Session layer
Transport layer
Network layer Network layer y
Data link layer
Physical layer
Network layer
Data link layer
Physical layer
Network layer
Data link layer
Physical layer
Network layer
Data link layer
Physical layer
17
y y
Alice Bob
Physical layerPhysical layer Physical layer
Eve
UNIX/LinuxUNIX/Linux
Basic defense in UNIX/LiUNIX/Linux:
Iptables-based firewall + tcp wrapper + xinetdtcp_wrapper + xinetdIt’s basic, so you too should have itIt’s basic, so you shouldn’t depend on it
18
The UNIX Internet Daemon (inetd)The UNIX Internet Daemon (inetd)
inetd is a ‘super’ serverb f h dIt runs at boot time as part of the startup procedure
It examines /etc/inetd.conf to determine which network services are under its controlnetwork services are under its control
No longer used in some OSs (e.g., inetd in Solaris is now configured in the Service Management Facility)
Th li t t th tThen listen to those portsUpon a connection request, inetd starts the appropriate serverappropriate server
20
The UNIX Internet Daemon (inetd)( )
A sample inetd.conf file might look like this:# Internet server configuration database# Internet server configuration database #ftp stream tcp nowait root /usr/etc/ftpd ftpd #telnet stream tcp nowait root /usr/etc/telnetd telnetd #shell stream tcp nowait root /usr/etc/rshd rshd p#login stream tcp nowait root /usr/etc/rlogind rlogind ……#echo stream tcp nowait root internal #daytime stream tcp nowait root internal #time stream tcp nowait root internal #echo dgram udp wait root internal
ServiceSocket type
protocol type
Re-use server
user Command/argument
Routinely check the file
21
Routinely check the fileAfter break ins, services may be installed for later use
xinetdxinetdA replacement for inetd
Fedora is not shipped with inetd; it uses xinetdFedora is not shipped with inetd; it uses xinetdIs better
Providing access control to services based onProviding access control to services based on Address/(domain) name of remote host, and time of access
Can alleviate DOS by placing limits onThe n mbe of p o esses fo ea h se i eThe number of processes for each serviceThe number of processes it will fork The size of log files it creates Th b f ti i l h t i iti tThe number of connections a single host can initiate Rate of incoming connections
Extensive logging abilities
22http://www.xinetd.org/faq.html
tcp wrappertcp_wrapper
tcp_wrapper does the following:(Optionally) sends a "banner" to connecting clientCompares hostname/requested service with a (negative) ACL(negative) ACLIf denied, tcpwrapper drops the connectionLogs the results with syslogg y g
AdvantagesTransparent to both the client and the wrapped p ppnetwork serviceCentralized management of multiple protocols
24
tcp wrapper Configurationtcp_wrapper Configuration
Configuration files decide which connections to taccept
/etc/hosts.allow and /etc/hosts.deny
When a connection reaches tcpwrapper:When a connection reaches tcpwrapper:It reads /etc/hosts.allow to match a rule and executes the specified actionsthe specified actionsIf no match, it checks /etc/hosts.deny to match a rule and then denies accessIf still no match, it handles the request to server
At most one rule is executed
25
On a first-come-first-serve basis
tcp wrapper Configuration Languagetcp_wrapper Configuration Language
Format of /etc/hosts.allow and/etc/hosts.deny: d l l h l [ ]daemon_list : client_host_list [: option : option ... ]
daemon_list Command name of a list of servicesCommand name of a list of servicesWildcard ALL
client_host_list The hostname or IP address of clientsWildcard ALL, LOCAL, KNOWN, UNKNOWN, PARANOID
option : optionoption : option…Actions (e.g., allow, deny, etc.).
26
tcp wrapper Example 1tcp_wrapper Example 1To allow all connections except those from the domain pirate net:domain pirate.net:## /etc/hosts.allow:/ /## Allow anybody to connect to our machine except# l f i t t# people from pirate.net#all : .pirate.net : denyall : .pirate.net : denyall : all : allow
27
What if the order is reversed?
tcp wrapper Example 2tcp_wrapper Example 2
To only allow finger by internal machines:## # /etc/hosts.allow: # # finger for insiders only ### in.fingerd : LOCAL : allow in.fingerd : ALL : twist /usr/local/bin/some_message
What if the order is reversed?
28
tcp wrapper Example 3tcp_wrapper Example 3
If you discover repeated break-in attempts th h t l t d l i b t d tthrough telnet and rlogin, but you need to telnet into your computer from concordia.ca:
## # /etc/hosts.allow: # # All t l t &# Allow telnet & # rlogin from concordia.ca, but nowhere else # telnetd,rlogind : concordia.ca : allow telnetd,rlogind : all : deny
29
tcp wrapper Utilitiestcp_wrapper Utilitiestcpdchk scans the configuration file and reports configuration errorsg
% tcpdchk Warning: /etc/host.allow, line 24, iphone: no such process name in /etc/inetd.conf (/etc/host allow or /etc/inetd conf are inconsistent)(/etc/host.allow or /etc/inetd.conf are inconsistent)
Tcpdmatch simulates a request and see the result% tcpdmatch sshd [email protected]: hostname whitehouse govclient: hostname whitehouse.govclient: address 63.161.169.137client: username bushserver: process sshdserver: process sshdmatched: /etc/hosts.deny line 39option : denyaccess: denied
30
access de ed%
iptablesiptables
Where it isk l 2 l d lIn Linux kernel 2.4 or later, a command line program
What it is forD fi l f filt i k tDefine rules for filtering packets
What it isTh ee chains of les INPUT OUTPUT FORWARDThree chains of rules, INPUT, OUTPUT, FORWARDFirst come first serve
input output
32
host forward
iptables Example 1iptables Example 1
iptables -A INPUT -s 200.200.200.1 -j DROP d l h-A: append to rule chain INPUT
-s: source address (IP or DNS name)j: action (DROP DENY ACCEPT)-j: action (DROP, DENY, ACCEPT)
So what does this mean?
What about this:
iptables -A OUTPUT -d 200.200.200.1 -j DROPp j
33
iptables Example 2iptables Example 2
iptables -A INPUT -s 200.200.200.1/24 -p tcp --d ti ti t t l t j DROPdestination-port telnet -j DROP
-p: protocol (TCP, UDP, ICMP, etc.)--destination-port: (or source-port)--destination-port: (or –source-port)/24: subnet mask (CIDR)
i t bl A INPUT t d ti ti t t l t iiptables -A INPUT -p tcp --destination-port telnet -i wan1 -j DROP
i: input interface (or o)-i: input interface (or –o)
Iptables –L, –F, -I INPUT 1, -R INPUT 1-L: list F: flush I: insert R: replace
34
-L: list –F: flush –I: insert –R: replace
iptables Example 3iptables Example 3
iptables -A INPUT -i wan1 -p tcp --syn -j DROP k--syn: syn packet
iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP
!: not equal
iptables -P FORWARD ACCEPT Default policyp y
http://www.netfilter.org/
35
p // g/
OutlineOutlineOverviewinetd/xinetd
HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTP
inetd/xinetdtcp_wrapper iptables
BitTorrent, …
iptablesTelnet/FTP/SSH
TCP, UDP, RTP… SSL
IPv4, IPv6 … IPSEC
Ethernet, Wi-Fi, Token ring, FDDI,PPP…
RS-232 10BASE-T
36
RS 232, 10BASE T, …
FTP: Separate Control, DataFTP: Separate Control, Data
Client contacts server at port 21, obtains authorization over control connection, browses remote directory by commands over control connection
Serverreceives a command for a file transfer, opens a TCP , pdata connection to client, closes connection, maintains “state”: current directory, earlier authentication
TCP control connectionport 21
37
FTPclient
FTPserver
TCP data connectionport 20
Security Issues with FTPSecurity Issues with FTPPasswords typed to FTP areto FTP are transmitted in clear
38
Security Issues with FTP (Cont’d)Security Issues with FTP (Cont d)FTP in active mode makesmode makes it difficult to implement
k t b dpacket-based firewalls
Because server needs to initiate the data connectionBounce attack
39
Telnet RisksTelnet Risks
Username, Password and other session data are t itt d th t k i ltransmitted over the network in clear
In Ethernet, packets sent between computers are actually delivered to every computer on the wireactually delivered to every computer on the wire Telnet session packets are vulnerable throughout their journey
ISPs have a single computer compromised and every Telnet connection passing through it had its password sniffed
A second danger of Telnet is session hijackingA second danger of Telnet is session hijacking After you log in using your password, the attacker can seize control of the session and type whatever
40
commands he wishes
What is SSH?What is SSH?
SSH – Secure ShellA software
Commercial versionFreeware (www.openssh.com)
A protocol l / h kFor secure remote login/many other network services
SSH-1 developed in 1995 by Tatu Ylönen in FinlandInternet Engineering Task Force (IETF) Draft in 1995Internet Engineering Task Force (IETF) Draft in 1995
41