Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Applied IT Security System Security Dr. Stephan Spitz [email protected] 4 OS Security Applied IT Security, Dr. Stephan Spitz • Overview & Basics • Network Protocols and the Internet • Operating Systems and Applications • System Security • Operating System Security • Security Threats on Networks • Firewalls and Intrusion Detection Systems • Applied Cryptography • Public Key Infrastructures • Authentication Protocols • Encryption and digital Signatures in topical Applications • Device Security • Smart Cards, Secure µProcessors and Crypto Libraries • Security Certification • The Future of IT Security 4 OS Security Applied IT Security, Dr. Stephan Spitz • Overview & Basics • Network Protocols and the Internet • Operating Systems and Applications • System Security Today • Operating System Security • Security Threats on Networks • Firewalls and Intrusion Detection Systems • Applied Cryptography • Public Key Infrastructures • Authentication Protocols • Encryption and digital Signatures in topical Applications • Device Security • Smart Cards, Secure µProcessors and Crypto Libraries • Security Certification • The Future of IT Security 4 OS Security Applied IT Security, Dr. Stephan Spitz Overview Operating System Security • Operating System Security • General Security Design Criteria • Risks • Secure Configuration and Tailoring • OS Security Requirements and Models • Examples • Trusted Solaris • The Java Runtime Environment • Malicious Code • Structure of a Virus • Overview malicious Code • Counter Measures 4 OS Security Applied IT Security, Dr. Stephan Spitz General Security Design Criteria • Security concept: Provable and as simple as possible • Closed security concept which can not be bypassed • No „security by obscurity“ i.e. security mechanisms are public • Security mechanisms have lowest possible impact on usability • Design principle of „need to know“ i.e. user or process has exact the necessary rights and not more 4 OS Security Applied IT Security, Dr. Stephan Spitz Risks • Unauthorized access on data (e.g. read on freed memory which is not really deleted like swap files) • Faked user identification (e.g. interrupt of user authentication can create a successfull login) • Attempts to corrupt the OS (e.g. wrong input creates an inconsistent OS state, try to create a bufferoverflow) • Security holes in applications (e.g. internet worms take advantage of bugs in sendmail or ftp deamons, forgotten debug code and insufficient parameter checks in applications) Always install the topical security patches 4 OS Security Applied IT Security, Dr. Stephan Spitz Secure OS Configuration = Tailoring • Purpose driven configuration (workstation with user access, application or file server, WIN Domain Controller, etc.) • Which default installed network services are really necessary ? (DNS, DHCP, RAS, FTP) • Strict divison of privileges between user, system (e.g. lp) and root or administrator accounts • Disable or delete unused system ressources (temporary files and shared directories) • Try to establish a hacking resistant reporting mechanism for security incidents (checksums, IDS) 4 OS Security Applied IT Security, Dr. Stephan Spitz Unix Tailoring Examples • Scanning for programs with setXid (X=user/group) i.e. process is executed under the preset user: find /\ (-perm -02000 –o –perm -04000 \) -ls Be careful: Don´t disable necessary administration programs e.g. passwd • Lookup of all available network adapters (from a remote machine) with ifconfig –a and disable the not necessary locally in ipchain/iptable • Logging of syslog messages via entry in the file /etc/syslog.conf: Program.loglevel destination (file, pipe, logserver, user, terminal) e.g. daemon.notice /var/log/deamon.log • Installation of integrity checks (e.g. with the program md5sum): md5sum /bin/ping bin/su /etc/ld/so.conf Hacker prefer files in /etc/ to modify: inetd.conf, host.conf, ftpaccess 4 OS Security Applied IT Security, Dr. Stephan Spitz Server Tailoring Examples • BIND Unix DNS server : Remove all unnecessary information records in named.conf/named.boot e.g. CNAME containing host name, SAO containing administrative information and check it with host –t txt server.com • Apache Unix/Win HTTP server: Only the root/admin should be owner of the Apache directory • Apache Unix/Win HTTP server: Disable all unnecessary preinstalled modules like mod_cgi and mod_status and mod_info • Apache Unix HTTP server: Install Apache in a chroot container i.e. limit the access of Apache process httpd to a certain directory tree e.g. /usr/local/httpd • Anyway: If possible avoid to use Apache under WIN 4 OS Security Applied IT Security, Dr. Stephan Spitz OS Security Control Mechanism (1/2) • User identification and authentication i.e. the system uniquely identifies and authenticates users prior to all other user interaction. • Discretionary Access Control i.e. the system distinguishes and administers access rights with an object between each user, group or both (standard with file access in UNIX) • Mandatory Access Control i.e. the system provides all subjects and objects with attributes which are the basis for the rules to grant access (e.g. labeled security in Trusted Solaris) • Role Based Access Control i.e. the system grants priviliges based on the role of the user (sysadmin role in Trusted Solaris) • Object and Data re-use protection i.e. all storage objects returned to the system are treated in such a way that the preceding content can not be reused by other subjects. 4 OS Security Applied IT Security, Dr. Stephan Spitz OS Security Control Mechanism (2/2) • Principle of Least Privilege i.e. each subject in the system is granted the most restrivtive set of privileges • Trusted Path The system supports a trusted communication path between itself and a user which is logically isolated and unmistakably distinguishable from other paths • A Trusted computing base (TCB) consists of a collection of hardware, firmware, software and databases used by the software, and document and administrative procedures that enforce the system‘s security policy. • Roles are given to authenticated and authorized entities based on strictly seperated environments. 4 OS Security Applied IT Security, Dr. Stephan Spitz OS Security Mechanisms and Models 1. Simple Models for Access Control (ACL, Capabilities and XrML) 2. Introduction to the Security Model from Bell and LaPadula 3. Security Mechanism in the OS Trusted Solaris and the Java Runtime Environment 4 OS Security Applied IT Security, Dr. Stephan Spitz Access Control List (ACL) Object File X File Y Joe Read Read/Write Jane None Execute Subject 4 OS Security Applied IT Security, Dr. Stephan Spitz Capabilities Object File X File Y Joe Read Read/Write Jane None Execute Subject 4 OS Security Applied IT Security, Dr. Stephan Spitz Xtensible rights Markup Language (XrML) • XrML 2.0 adopts a simple model consisting of four entities and the relationship between those entities. • The basic relationship is defined by the XrML assertion grant • Structurally, an XrML grant consists of the following: The principal to whom the grant is issued The resource that is the direct object of the .right. verb The right that the grant specifies The condition that must be met for the right to be exercised 4 OS Security Applied IT Security, Dr. Stephan Spitz XrML <license xmlns="xrml2core" xmlns:sx="xrml2sx" xmlns:dsig="xmldsig#" xmlns:xsi="XMLSchemainstance" xmlns:cx="xrml2cx" xsi:schemaLocation=xrml2cx.xsd"> <grant> <keyHolder> <!– keyHolder is the principal authenticated by a cryptographic key --> <!– further tags containing public key .. --> </keyHolder> <cx:print /> <!– print is the right --> <!– locator specifies the resource --> <cx:locator> <nonSecureIndirect URI="http://www.foo.com/sampleBook.spd" /> </cx:locator> <validityInterval> <notAfter>2001-12-24T23:59:59</notAfter> </validityInterval> </grant> </license> 4 OS Security Applied IT Security, Dr. Stephan Spitz Bell-LaPadula Model • Elements of the Bell-LaPadula Model are Subjects, Objects, Access Attributes and Security Levels • ACLs containing Subjects, Objects and Access Attributes are used for Discretionary Access Control • Security Levels form the Mandatory Access Control (Top Secret, Secret, Confidential, Unclassified with NRU, NWD) • Bell-LaPadula does not address how access rights are established (creation/deletion of subjects and objects) and does not differentiate between executable data and code 4 OS Security Applied IT Security, Dr. Stephan Spitz No Read Up (1) Top Secret Read OK Re ad OK ad Re O Secret Top Secret Secret K Unclassified Unclassified 4 OS Security Applied IT Security, Dr. Stephan Spitz No Read Up (2) Top Secret id de n Top Secret ea d Fo rb Secret en d id rb o F d a Re Read OK R Unclassified Secret Unclassified 4 OS Security Applied IT Security, Dr. Stephan Spitz No Write Down (1) Top Secret O K Top Secret Secret W ri te Secret W Unclassified rit K O e Write OK Unclassified 4 OS Security Applied IT Security, Dr. Stephan Spitz No Write Down (2) Top Secret Top Secret W Write OK W ri t eF or bi dd en te ri rb Fo Secret Secret d id en Unclassified Unclassified 4 OS Security Applied IT Security, Dr. Stephan Spitz Main Characteristics of Tusted Solaris • Trusted i.e. OS that satifies a number of stringent security requirements (roles, trusted path, DAC, MAC, RSBAC, etc.) • MAC is based on labels i.e. all objects (files and so on) and subjects (processes) on the system are labeled. • RSBAC can be used to represent special groups (e.g. engineering, sales, administrator) • The Principle of Least Privilege is introduced by distinct roles which replace the privileged superuser root of standard Unix systems i.e. admin, secadmin, oper and root • There are different purpose driven predefined configurations like trusted desktop, trusted server, trusted database application and trusted firewall 4 OS Security Applied IT Security, Dr. Stephan Spitz The Java Sandbox Model • The Java Sandbox defines a secure execution environment for Java Virtual Machine (JVM) bytecode • The Java Sandbox consists of the three parts Bytecode Verifier, Class Loader and Security Manager • The Bytecode Verifier checks the compiled bytecode before it is executed (correct class format, forged references, access restrictions, incorrect class type information) • The Class Loader is responsible for loading and allocating new classes i.e. name spaces (Java knows only references by name). • The Security Manager makes decision which resources (files, network connections, etc.) can be allocated during JVM bytecode execution. 4 OS Security Applied IT Security, Dr. Stephan Spitz Anatomy of a Java Application 4 OS Security Applied IT Security, Dr. Stephan Spitz The Java Security Package • The security package (classes in the java.security package + security extensions) allows for adding security features to applications and helps to exetend the Sandbox model • The security package provides the basis by which Java classes may be signed. • The security package is a complex API including: • The security provider interface (JCA) • Message digests • Keys and certificates • Digital signatures • Encryption (through JCE and JSSE) • Authentication (through JAAS) 4 OS Security Applied IT Security, Dr. Stephan Spitz Structure of any Virus • Search for possible targets (boot sector, exec-file, scripts) • Establish virus code in the target • Hide the code in the target • Trigger starts the replication (main virus characteristic) Infection Mechanism Trigger • Trigger starts the payload execution • Trigger events are timer interrupt, system boot, file access Payload • Payload contains the malicious code • Broad range of activities (simple message to system break down) • Payload sequences are a good way to identify viruses 4 OS Security Applied IT Security, Dr. Stephan Spitz Overview malicious Code • Trojan Horse: Virus to gain an account on a target system not necessarily with a replication mechanism • Worm: Virus without an infection mechanism i.e. security holes in running (mainly network) processes are abused e.g. Email, FTP • Boot (Sector) Virus: Virus writes its code into the boot sector of a floppy or harddisk (mainly the master boot record) • Macro Virus: Virus infecting applications (e.g. WordBasic or VBA script viruses in the Microsoft Office Suite) instead of an OS • Hoax: Only a rumor about a virus 4 OS Security Applied IT Security, Dr. Stephan Spitz Virus Example: MyDoom (11.02.04) • MyDoom is a worm: E-mail user is seduced to klick on attachment „Mail transaction failed. Partial message is available“ i.e. no own infection mechanism • Trigger: The Windows registry is manipulated to load the MyDoom code memory resident during the system boot • Payload and Replication: The MyDoom code looks for every stored email address on the hard disk and sends a copy of itself • Trojan Horse: MyDoom/Novarg establishes a backdoor on the infected system i.e. a little server on the TCP ports 3127 and 3198 allows intruders to start a Distributed Denial-ofService (DDoS) attack from the captured system 4 OS Security Applied IT Security, Dr. Stephan Spitz Virus Example: Sasser (03.05.04) • Sasser is a worm: A bug in the WindowsXP, 2000 Local Security Authority Subsystem Service (LSASS) i.e. LSASRV.DLL (Active Directory service functions) can be used to cause a buffer overflow and to execute malicious code. • Trigger: The Windows registry is manipulated to load Sasser during the system boot via the program avserve.exe (15.872 bytes) which executes simultaneously 128 attacks in the available net Registry entry in Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft … …\Windows\CurrentVersion\Run]"avserve.exe"="%windir%\avserve.exe" • Payload and Replication: Sasser copies itself by FTP download to c:\windows\system32\[XXXXX]_up.exe and causes the infected system to reboot 4 OS Security Applied IT Security, Dr. Stephan Spitz Trojan Horse Example: Troj/DSNX-05 (09.04.05) • Troj/DSNX-05 is a trojan horse: A faked Windows security update page is used to seduce user to install a malicious patch which contains Troj/DSNX-05. It has neither a infection mechanism nor an replication mechanism (social infection mechanism and replication via faked Webpage). • The payload of Troj/DSNX-05 contains a background server process allowing a remote attacker (using a certain client program) to gain access and control over the machine. • A Windows registry entry is used as trigger event: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinDSNX = <Windows System>\<Trojan name> Before this entry is created Troj/DSNX-05 copies itself to the Windows System directory using the name of a randomly chosen DLL file and an EXE extension. 4 OS Security Applied IT Security, Dr. Stephan Spitz Counter Measurements • Virus scanners try to identify viruses according to a certain characteristic (virus signature) stored in a database • Heuristic virus scanners try to identify a virus with a forecast about the runtime behaviour of code (sophisticated approach, but not really efficient) • Signed Code on a Trusted Operating Base prohibits the execution of not authorized code e.g. viruses on a system • Checksums and/or Encryption make it possible to detect/avoid modifications done by a virus • Intrusion Detection Systems (IDS) monitor a system to detect processes which may be the result of a virus infection 4 OS Security Applied IT Security, Dr. Stephan Spitz