Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Application Security corresponds with Chapter 3: program security; Chapter 4: OS security and Chapter 5, with additional notes from various sources. Throughout these ages our operating systems infested by bugs The ignorant world turns to Windows for safety Safety from themselves It is now the time for the world to realize that we all feel pain By DilDog Ninja Strike Force (Cult of the Dead Cow) Sensei of the Undocumented Opcode. From the slides of Vitaly Shmatikov – Univ of Texas SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. So far • We looked at: – Various vulnerabilities – Fundamentals of Cryptography • Encryption/decryption • Secure hash functions. • Next: Software application security (roughly corresponds to chapter 3 – though I have added additional notes from sources other than the textbook) SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Applications • Food for thought: – If a computer does not run any software, then it cannot be attacked. • Hence, “host-based attacks” are all due to software applications. – Host-based is different from network-based attacks. – Host-based attacks focus on the information stored on a “host” computer, while network based attacks focus on information in transit across networks. • Application security involves studying “host-based” security. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. What does application security entail? • There are several software applications varying in complexity: – E.g, • Simple editors, Web Servers, Database Management Systems, Operating Systems. While they have some common vulnerabilities, each of them have unique/specific security vulnerabilities. • Difficult/impossible(?) to study the security of every type of software application. • Hence, in this part of the course we will limit our study to: – Secure Design principles that apply to any software application. – Application of secure design principles to Operating Systems (Windows and Linux) and Database Management Systems (Oracle) – Examples of secure programming principles for programming in Java. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Secure Design principles • Design principles are different from implementation principles. Design deals with what facilities etc., that you will offer. • What principles do you think you will follow when designing a software application? SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Secure Design principles (2) • Originally formulated in 1975 by Jerome Saltzer and Michael Shroeder. • Other principles were added later. • Complete list from website maintained by the Department of Homeland Security: https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. List of principles of software security. • • • • • • • • • • • • Least Privilege Economy of Mechanism Complete Mediation Separation of Privilege Least Common Mechanism Securing the weakest link. Defense in depth Failing Securely Reluctance to trust Never assuming that your secrets are safe Promoting Privacy. Psychological acceptability • One more principle from the original authors: Open design. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Principles of software security (2) • Least Privilege • Give the least privilege for the least time to get the job done. • The time factor is important. • When implementing code or any system – use features that will limit time. • E.g., if someone logs in as an administrator and the account is idle, log the person out! • Economy of Mechanism • Based on the mantra “KISS”: Keep it simple, stupid! • How does it translate to implementation/design of secure code? – Reuse components of any code (make code modular). – Do not re-implement security algorithms (e.g., DES cryptography) – use standard APIs. – Create a choke point when developing code – choke points are interfaces from which all the code must pass. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Principles of software security (2) – Complete Mediation • Security checks in applications cannot be bypassed/circumvented. • E.g., the single user mode in Linux or the “safe mode” in Windows allow login without entering password: This is a violation of complete mediation. – Open Design • No secrets. • E.g., the security of encryption should not depend on keeping the encryption algorithm secret. – Separation of Privilege (or “separation of duty”) • E.g., multiple authentication criteria. (we will see more of this when discussing OS security) – Least Common Mechanism • E.g, do not share certain resources. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Other principles • Securing the weakest link. • Defense in depth • Failing Securely • Reluctance to trust • Never assuming that your secrets are safe • Promoting Privacy. – E.g., if you haven’t fixed buffer overflow, don’t bother installing retinascanning-based authentication – Have a layered approach if possible for software. – E.g., in the Java code you would want to run the code with certain protection. – Do not let your code or software simply crash! – Or if it crashes, do not let it expose any secrets – e.g., by passing too much information to the exception handling routines. – Never assume that the user will use the code the way you design. – Don’t rely on an obscure implementation (similar to Open design) – We will look at this when discussing database security. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Next: Example 1: How principles of software security design apply to the design of general purpose OSes Corresponds to Chapter 4 w/ additional notes by Prem Uppuluri SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. General purpose OS. • Examples: – Windows NT family • 2000, XP, Vista, 7 – Linux (multi-user) – FreeBSD – Solaris • Specifically, any OS that is designed to run multipurpose software. • Excluded from this list: Mobile OSes (iPhone, Android, Windows mobile etc.). Why? These use a subset of general purpose OS security mechanisms. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. What is an Operating System? • What is the function of an Operating System (OS)? • It is software that: – mediates access to, and – enforces the sharing of system resources, by all other programs on the machine. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Two key characteristics of a general purpose OS • Most general purpose OSes these days: – Support multi processing (multiple processes can share the CPU). – Support multi users (multiple users can work at the same time). SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Functions of an OS • Some functions of an OS – Creation/removal of processes: OSes allow users to start new processes and end them. – Memory management: Operating Systems allocate memory and manage the memory (e.g., free memory) etc., when processes are being executed. – Process scheduling: When multiple processes are competing with each other to run on ONE CPU, an OS is responsible for scheduling which process runs next? – Handling I/O and Interrupts SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. What needs to be protected in a general purpose OS? (1) • So based on the functions of an OS, it is clear that – When multiprocessing (with multiple users) several hardware resources are shared and thus need protection: (Examples: • • • • • Memory I/O systems Disks Networks Sharable data/programs ) • So how do OSes protect these? And against whom? SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. What needs to be protected in a general purpose OS? (1) • Examples of where security is needed: – User level processes should not interfere with each other. E.g., a Word process should not be able to access the memory of a Chrome process. – Permissions on user directories (folders) and files. – Sharing of I/O resources (e.g., multiple users on a computer should not be able to view each other's print jobs, or keystrokes). SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. OS security using separation. • OSes achieve security using the concept of separation of access to resources. • Some examples of separation include: – Access control • (who can access the resources of a system?) – Identity and credential management • (what is the identity of the current user? Can this identity be changed?) – Audit and Integrity checks. • (Keeps track of who performed what actions at what time. Also, have any files been changed? Are different measures consistent?) – Information flow. • E.g., What can be cut and pasted? What can be copied and pasted? What info can be sent out on the network? SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Next: • How does an Operating System achieve separation? • What are the key issues in doing so? SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Main challenge: Policing the Police… or protecting the Operating System itself! • An OS is responsible for separation, however, there is a problem: – Given that an OS is a software program. What prevents other software programs from circumventing the OS? i.e., why cannot the OS be bypassed? Or, can an OS be bypassed? Example: Is it possible for you to write a program that directly accesses the resources by circumventing the OS's memory management, process management and other mechanisms? SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Circumventing the OS • An OS can be circumvented in certain cases: – E.g., when you boot an OS from a CD or a DVD – you are circumventing the OS on the disk. • The OS installed on the disk will be unable to mediate any of your processes access to the CPU. • However, once you “load” an operating system – it cannot be circumvented (or it should not be if implemented securely). Why cannot it be circumvented? SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. The Architecture-OS dance. • Various architectures (Intel, AMD, SPARC etc.) provide some hardware security features (think of them as switches) such that: – The first software that gets loaded when you start a computer grabs the controls of these hardware features. – Without control of these hardware features, hardware resources cannot be accessed. • (unless you use a physical attack, such as removing a hard disk from the computer). • If the first software is the OS (as is usually the case), it controls these hardware features. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. What is separation? • What are these hardware features? – Two key ones: • Interrupts (programmable interrupts) and • Rings. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Privilege rings in OS. • Most CPUs come with multiple “rings”. • When a software wants to access any hardware resource, it has to grab a certain ring number. • Ring 0: allows access to all the hardware resources… Ring 3: doesn’t allow any access to hardware. Ring 1 will allow access to a few etc... • • Image source:l Wikipedia SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. © LOTR Privilege rings in OS (2). • So how does a software grab a ring? (A) (B) (C) (D) Defeating Lord Sauron. Using Orcs. Capture Gollum. Using interrupts. Answer: D Image source:l Wikipedia SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Privilege rings in OS (3). • • Interrupts Every architecture (intel x86, SPARC etc) provides certain hardware switches called interrupts. • Interrupts can be “thrown” or triggered using machine language instructions that the architecture supports. – E.g., 0x80h is an assembly op code (in Intel x86 architecture) that allows a software to grab ring 0. Image source:l Wikipedia • Every interrupt is associated with a software method (program). • ONLY that software program can be executed when the interrupt is thrown. The first software that gets loaded on boot-up, will also install the software programs associated with each interrupt SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Privilege rings in OS (4). • So an OS (as it is the first process that must be loaded into the memory): – Loads the software methods associated with each interrupt. – E.g., In Intel x86 architecture, interrupt 80 is associated with grabbing the ring 0. • So with this interrupt, the OS associates software methods (or functions or sub routines) that allow access to hardware resources. • These software methods are called “system calls”. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. System calls in an OS • Every OS provides a set of system calls – Think of these as an API to access and/or modify various resources – E.g., • in Linux: – – sys_open, allows a program to access files on a disk. (so access to the hardware: disk). Sys_fork, allows the creation of a new process (thus accessing the resources of memore etc.). • In Windows: – NtCreateProcess: creates a new process (similar to fork). • Complete list of system calls in Linux: • Look at the file: /usr/include/unistd.h on any Linux machine. • Complete list of system calls in Windows: • http://www.metasploit.com/users/opcode/syscalls.html SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. System calls in OS • There are many system calls as you saw in the links on previous slides. • System calls are organized into an “array”. Think of this as an array of methods. – System_call[] syscalls … – Each index associated with one system call. • E.g., syscalls[3] may be the method “fork” system call. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. System calls summary. • When a software process calls a system call, let us say “Open”, then: – Interrupt 80 is thrown. (So the software program now has access to ring 0). – However remember when an interrupt is thrown: only the software associated with that interrupt can be executed. – This software (a whole bunch of system call implementations) is provided by the OS. – The appropriate system call method is searched (in this case “open”) and executed. • Hence, OS can control complete access to hardware resources by other software process. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Another way to look at how OS can prevent any process from directly accessing hardware.. • if a software process wants to access the hard disk – it has to grab ring 0. • However, it can only grab ring 0 by throwing the interrupt 0x80 (on Intel x86). • However, if it throws interrupt 0x80, then only the code associated with that interrupt can get executed. • The first process loaded when the system boots up gets the first shot at associating software with each interrupt. • If the first process is the OS itself – then the OS can control the software associate with each interrupt. • Hence, any other software program can only use the OS’s software to access hardware resources. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings. Next: • Overview of security provided by the operating system in accessing: – Memory – Files – Etc.. SlidesMaterial by Premmainly Uppuluriderived based on material from various sources. ITEC 245. from Pfleeger; Daswani or Stallings.