Service HardeningService Hardening

in in

Windows 2008Windows 2008

Concept of Service Hardening Presenter: Abu Rahat Chowdhary Presenter: Abu Rahat Chowdhary

Preface• An estimated 90 percent of personal computers

run on Microsoft Windows operating systems.

• Microsoft has found itself under attack on several thousand instances

• During 2002-2005, Microsoft Windows worms like Blaster, Nachi, Sasser and Zotob infected a large number of systems on the Internet

Vista\ WS 2008 (Longhorn) Security Vista\ WS 2008 (Longhorn) Security FeaturesFeatures

• User account protection• Windows Service Hardening• Anti-malware• Advanced data protection• Many more ……

Analogy ++ picture“Suppose you go to purchase some thing…

And carry money for it. If you carry money as much needed..And you are robbed then u will loose only limited to what you have..

…but if you took all the money ..then greater is the loss.”

Windows Service Windows Service HardeningHardening• Windows services are

profiled for allowed actions to the network, file system, and registry

• Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile

Service Hardening

Activeprotection

File system

Registry

Network

ServiceService

Demonstration : Services.msc

Three types of System Services– Local System– Local Service– Network Service

Services typically run with high privileges and are

attractive targets for viruses

What is Service Hardening?What is Service Hardening?

• High privileged services when exploited allow attacker to gain unbounded control on the computer

• Hardening a service means limiting damage to the system even if a service is compromised

• Can not prevent a service from being compromised but provides additional layer of protection– Based on principle of defense-in-depth

(Reference Slides)

Service HardeningService Hardening

• Service hardening is one of many new security mechanisms in Windows Vista

• The next generation of Windows server, currently known as Longhorn Server.

• It more difficult for service exploits to do damage

Windows Service HardeningWindows Service HardeningFactoring and Profiling of Windows Kernel

DD DDDD

• Reduce size of high risk layers

• Segment the services

• Increase number of layers

Kernel DriversKernel DriversDD

DD User-mode DriversUser-mode Drivers

DDDD DD

Service Service 11

Service Service 22

Service Service 33

ServiceService……

Service Service ……

Service Service AA

Service Service BB

Why Service Hardening?Issues with earlier versions of Windows

Presenter: Radha MaldhurePresenter: Radha Maldhure

Related Background

LogOn

Session 0

“Alice”“Bob”

“Bob”

Session 1 Session 2

“Alan”

“Alice”“Alan”

Session• Mechanism to support multiple interactive users logging on to the system simultaneously • Each user (remote or local) feels as if she is using the system locally

Related Background

• Window Messages – Communication mechanism between application

windows or system and application windows– E.g. when system time is changed, system sends

WM_TIMECHANGE to all application windows on desktop.

• Privilege– Right of an account to perform various system-

related operations on the local computer – Example: shutting down the system, changing system

time etc

Issues with earlier versions of Windows

• Shared Session 0• Privilege Issue• No Service Isolation

Shared Session 0

• Services and user applications for console user run in the same session (session 0)

• Application windows in same session can freely send window messages to each other.

Shared Session 0 ( contd)

• Shatter Attack – Freelance security consultant Chris Paget discovered

flaw in Windows messaging named as “Shatter Attack”

– A low privilege application window may exploit a vulnerability in high privilege application window by means of window messaging

– It is possible due to Shared Session 0

Shatter Attack

• WM_TIMER abuse

SendMessage( WM_TIMER, BadFunc )

void BadFunc(){ FormatDisk();}

Desktop

Window 1 Window 2

Privilege issue

• Services automatically gain all privileges of account they are running in

• Services cannot specify set of privileges required

• Lack of granular control

over privileges– Services run with unnecessary

high privileges

Local systemService:

Disk Manager

Garbage Collector

Privileges:

Load driver

Shut Down

Back Up

No Service Isolation

• Services do not have their individual identity– Identity of a service is tied up with account it’s running in– E.g. When Web Server is granted access to database, Time

Server also gains access to the database

`

Web Server

Database

Account:LocalService Account:LocalService

Time Server

Service Hardening in Longhorn/ Vista

Solutions to Issues with earlier versions of Windows

Presenter: Kishore Padma RajuPresenter: Kishore Padma Raju

Service Hardening in Service Hardening in Longhorn/VistaLonghorn/Vista

• Session 0 Isolation– Session 0 is assigned exclusively to services

and the session is made non-interactive

• Fostering principle of “least privileges”– Services can now specify required set of

privileges

• Per-service Security Identifier (SID)

• Network Access Restriction

Session 0 IsolationSession 0 Isolation• No More Share Session 0

– Session 0 is assigned exclusively to services and the session is made non-interactive

– User applications run in session 1 and higher

– Services are isolated from user applications to avoid shatter attacks

22

Fostering principle of “least Fostering principle of “least privileges”privileges”

– Services can now specify required set of privileges• Services are no longer required to run with all

the privileges associated with the accounts they run in

• Provides granular control– Service Control Manager (SCM) removes all the

privileges that are not specified as required privileges from the process token• If no required privileges are specified, SCM

assumes that service needs all the privileges• If service requires privileges not present in the

process token, service is not started

23

Per-service Security Per-service Security Identifier (SID)Identifier (SID)

• Per-service Security Identifier (SID)– Each service installed on Longhorn/Vista is

assigned a SID• Per-service SID is based on the service name

and is unique to that service on the computer– When per-service SID is enabled for a service, it

is added to the service’s process token by SCM when the service is started

– Per-service SID can be used to protect service resources• Service resources can be ACL’d with service

SID to grant access exclusively to that service• It provides more granularity and service

isolation24

Per-service Security Identifier Per-service Security Identifier (SID)(SID)

– Per-service SID can be used to gain access to certain objects normally accessible to administrative privileges• By virtue of service SID, services can run in

low privilege account and can still access certain objects that are accessible only to high privilege accounts

• e.g. A service running in low privilege might need write-access to its log files stored in “Program Files\<application_dir>”directory; by adding service SID to directory’s DACL, the service can write to its log files even if it’s running with low privileges

25

Network Access RestrictionNetwork Access Restriction

– Service network restriction are implemented with per-service SIDs

– Longhorn/Vista firewall has been enhanced to support service network restriction

26

Network Access Network Access Restriction (Continued)Restriction (Continued)

– Services can add firewall rule to specify communication protocol, ports and direction of the traffic• e.g. A service can add a rule to restrict its

network access on TCP port 10000 for outbound communication– Integrated firewall in Vista/Longhorn will block all

other type of network access

27

Weakness

• With reduced privileges, certain Services may not function correctly– Extensive research is required to determine

exact required privileges

• Cannot completely avoid the damage caused by vulnerability exploit

• May ask for design level changes

Strength

• Adds as second layer of protection

• Reduces damage of vulnerability exploit to a great extent

• Fosters better security practices

Conclusion

• Service Hardening is a significant move towards enhancing Windows security

• Eliminates Shatter attack

What Is Defense-in-Depth?What Is Defense-in-Depth?

Using a layered approach:Using a layered approach:• Increases an attacker’s risk of detection Increases an attacker’s risk of detection • Reduces an attacker’s chance of successReduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, update management, antivirus updates, auditing

Host

Network segments, IPSec, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, encryption, EFS, backup and restore strategy

Data

DEFENSE AGAINST BUFFER DEFENSE AGAINST BUFFER OVERFLOW VULNERABILITIESOVERFLOW VULNERABILITIES

Buffer Over Flow TutorialBuffer Over Flow Tutorial

• Buffer overflow vulnerabilities hunted, found and exploited over decades.

• Unfortunately still effective

• Numerous protection techniques attempted against buffer overflow attack

Stack SmashingStack Smashing

• Occurs when a cracker purposely overflows a buffer on stack to get access to forbidden regions of computer memory.

• A stack smash is based upon the attributes of common implementations of C and C++.

Techniques used for defensesTechniques used for defenses

• Nonexecutable StacksEnsures that code on the stack can’t be run

Implemented on Linux OS[Sol06]

• Address RandomizationRandomizing address space of program

Attackers can work around some type of address randomization

Techniques used for defenses Techniques used for defenses (contd)(contd)

• Code AnalyzersScan the code for security errorsExisting code scanners: Rats[Seca], BOON[Wag]Large number of false positives

• Stack Guard (canaries)Put a known value on stack just before return

addressCowan’s Stack guard

Details of Stack GuardDetails of Stack Guard

<previous stack frame>

function arguments

Return address (overwritten with

entry address of malicious code) Previous frame pointer

(overwritten w/ malicious code)local variables (overwritten w/

malicious code)local buffer variables

(overwritten w/ malicious code)Direction of stack growth

• Like the legendary canary-in-the-mine, it detects stack smash attacks.

• Inserts a “Canary value” just below the return address (Stack Guard) or just below the previous frame pointer (Stack Smashing Protector). This value gets checked right before a function returns.

• v<previous stack frame>

function argumentsreturn address

previous frame pointer

local buffer variables

local non-buffer variables

Direction of stack growth

Canary value

ProblemsProblems

• StackGuard implemented as a GCC patch.– Program must be recompiled.– Minimal performance effects: 8% for Apache

• Canary value checking only takes place at return time, so other attacks possible

• Canaries don’t offer fullproof protection.– Some stack smashing attacks can leave canaries

untouched.