Download CS423/523

CSCD 303
Essential Computer
Security
Spring 2013
Lecture 6 - Desktop Security
Overview
• Learning Objectives
– Understand the functions of an Operating
System including its security functions
– Learn about the different levels of privilege
– Learn about Windows Access Control
OS Design Decisions
VS
• The kernel is the heart of the OS and
manages most of the functionality of the OS
including access to device hardware
• Have been competing designs for the
kernel
– Monolithic vs Micro Kernel vs Hybrid Kernel
Designs
– These design decisions affect ultimate security
of OS
OS Design Decisions
• Monolithic Design
– Integrate a great deal of functionality into OS
core
– Services are interdependent
– Core system is larger
– Every flaw in system is exposed through
services that depend on that system
Monolithic Kernel

Monolithic kernel where all services

File system, device drivers as well as core
functionality scheduling, memory allocation are a tight knit
group sharing same space



Do not confuse term modular kernel to be anything but
monolithic
Some monolithic kernels can be compiled to be
modular
What matters is that module is inserted to and run from
same space that handles core functionality
Monolithic Kernel Diagram
Kernel
Space
Monolithic Kernel Pros and Cons

Pros
* More direct access to hardware
for programs
* Easier for processes to
communicate between each other
* If your device is supported, it
should work with no additional
Micro Kernel



A micro kernel
Core functionality is isolated from system
services and device drivers
For instance, VFS (virtual file system) and
block device file systems are separate
processes that run outside kernel's space,
–
–

Using IPC to communicate with kernel,
other services and user processes
IPC means Interprocess Communication
Example of Micro kernel? Minix
Micro Kernel Architecture
Kernel
Mode
Micro Kernel Pros and Cons

Pros
Portability
Small memory footprint
Security Better - not as
much runs in supervisor or
privileged mode
Hybrid Kernel




Hybrid kernel is architecture based on combining
aspects of microkernel and monolithic kernel
architectures used in computer operating systems
A hybrid kernel runs some services in kernel space to
reduce performance overhead of traditional microkernel,
while still running kernel code as servers in user space
For instance, a hybrid kernel design may keep Virtual
File System and bus controllers inside kernel and file
system drivers and storage drivers as user mode
programs outside the kernel
–
Such a design keeps the performance and
design principles of a monolithic kernel.
Whats an example of a Hybrid kernel?
Hybrid Kernel Architecture
Hybrid Kernel Pros and Cons


Pros
* Developer can pick and choose what runs in
user
mode and what runs in supervisor mode
* Smaller install footprint than monolithic kernel
* More flexible than other models
Cons
* Can suffer from same process lag as
microkernel
* Device drivers need to be managed by user
Operating Systems (OS)
Functions
• What do OS's do?
– The operating system's tasks, in the most
general sense, fall into six categories:
–
Processor management
–
Memory management
–
Device management
–
Storage management
–
Application interface
–
User interface
Operating System Functions
OS controls every
task of your
computer plus
access to all the
computer resources
Picture from HowStuffWorks.com
OS Functions
Scheduler
Tasks
• Processor Management
– Allows multiple processes to share resources
of processor fairly
– Does this by scheduling processes to get
execution time
• User Processes
• Microsoft Word, Foxfire or Skype
• System Processes:
• Print spooler, network connections, security
accounts manager ... plus many others
Memory Storage
and Management
•
When an operating system manages
computer's memory, there are two
broad tasks to be accomplished:
1. Each process must have enough memory in which to
execute, and respect memory boundaries of each other
2. Different types of memory must be used properly so that
each process can run most effectively such as
–
Cache, RAM and Virtual Memory
•
First task requires operating system to set up memory
boundaries for types of software and for individual
applications
Device Management
• Path between operating system and virtually all
hardware not on computer's motherboard goes
through special program called a Device Driver
– Driver's function by translating between electrical
signals
– Hardware subsystems and high-level
programming languages of operating system and
application programs
Device Management
• Drivers are separate from operating system
so that new functions can be added to the
driver
• Thus to hardware subsystems
– Without requiring operating system itself to be
modified, recompiled and redistributed
Device Drivers
Linux
Windows Smart Card
Storage Management
• Manages and Organizes disk resources
– Includes temporary devices too
– CD and DVD drives, thumb drives,
external drives
• Creates file systems for storing both OS
types of files and user files
• Must somehow keep track of who can
access these files – Access Control
Application Programming
Interface (API)
• Drivers provide a way for applications to
make use of subsystems without having to
know every detail of internal operations
– Application Program Interfaces (APIs) let
application programmers use OS functions
without having to directly keep track of all the
details in CPU's operation
– Hides details of processor and other resources
from the program
Application Programming
Interface (API)
• For Example
– Microsoft Word or Open Office Word Processor
– You click, “Save file”
– If didn't have an API
• Word or Open Office would have to know all details
of file system and ultimately call disk controller to
create file on disk
• Instead, language program is written in, like C or
Java has a function that is mapped to operating
system API for creating file
User Interface
MAC
OS X
• User Interface (UI) brings structure to
interaction between user and computer
– In last decade, almost all development in user
interfaces has been in area of graphical user
interface (GUI),
– Provides the “look and feel” of the computer
User Interface
Windows Vista
Operating System Security Functions
OS Security functions
• Can ask … What are primary security
functions of most (all) modern Operating
Systems?
• Most OS implements two functions
1. User authentication
2. Access to resources
1. User authentication – 2 parts
a. Positively identify the user
– Compare to stored identity, user ID
b. Authenticate the user
OS Security functions
2. Access to Authorized Resources
– Decision based on access rules
– Typical authorization based on user or group
individual membership and
– Labels attached to objects
• Example: Windows users with admin
privilege
– Allowed to both view and change user
accounts
OS's Manage Privilege Level
• Two levels of privilege in modern CPU's
• This is offered by CPU itself, Intel, AMD
1. User mode – unprivileged
2. Kernel mode – more privileged
• OS runs in Kernel more privileged mode
• User programs run in User less privileged
mode
– User programs make calls to the OS
•
•
To use the hardware resources
Use the OS API to access hardware
User Powers
• Seems to be a need to have a user with
greater powers
– Root, superuser or administrator
• Yet, this comes with added risk
– If user makes a mistake, can possibly damage
the system
– Or, if they get their identity stolen, attacker has
full power to OS
User Powers
• Because of this risk problem
from elevated power, concept of
– “Least Privilege”
•
Only want to operate with minimum of
needed power to get job done
– So, while I could always log in as Administrator,
if I get my account hijacked or I get infected by
malware while I am administrator
•
Attackers then have full access to the
machine's resources
– Example: In Linux Ubuntu, have sudo command
Windows Security Features


Windows has evolved from a minimal security model
prior to Windows NT to something fairly robust in
enterprise environments with Windows Vista, 7,
Server 2003, Server 2008 and beyond
Look at main features of Windows security common
to all Windows versions
Access Control

Gatekeeper to Windows



Called Local Security Authority (LSA)
Implemented in the service, lsass.exe
What it Does
1. Validates access to objects
2. Checks user privilege
3. Creates audit messages
Access Control

Allows subjects to access objects
Subjects – Any entity that performs some action
Subjects are not just people or users
Subjects are actually processes in Windows
Objects – securable objects
•
Have associated Access Control Lists
(ACL's)
–
Lists of permissible actions by subjects
Securable Objects
•
Files, directories, services, Registry Keys,
Windows ACLs
Sets of rights

Basic:


Generic:






read, write, execute, delete, change
permission, take ownership
no access,
read (read/execute),
change (read/write/execute/delete),
full control (all),
special access (assign any basic
rights)
Directory:








no access,
read (read/execute files in directory),
list,
add,
add and read,
change (create, add, read, execute,
write files; delete subdirectories),
full control,
special access
35
35
Access Control Components

User Accounts
•
•
•

Store an identifier and have associated
privileges
Allow access to objects and system
resources
Has associated Security Identifiers for
internal use (SID)
Windows has built-in accounts
•
•
SYSTEM – powerful local machine
account
Administrator – All powerful, can be
renamed but not deleted
Security Identifiers (SIDs)
User account
has SID that uniquely
identifies it

Access Control User Rights

Say … you log onto a Windows System
How are you authenticated and what authorizes
you to access computer resources?

The Log-on process
You enter your User ID and password
Entered credentials passed to
LSASS subsystem, lsass.exe
Will go over details when we discuss
passwords
If credentials are valid, a Token is created and
The Token

Whats in a token?
•
Contains a list of Security ID's associated
with a user account
–
•

You can have multiple SIDs because you
belong to multiple groups
So, when user tries to access a resource
such as a file, token is used by the LSASS
subsystem
How is token used?
•
•
Object, say a file will have an Access
Control List (ACL) that specifies SID's
permitted to access the object
If one of SID's in users token matches SID
in Object's ACL, user granted access
Windows Privilege Levels
• In XP and other pre-Vista versions
– Had 2 choices of privilege
– 1. Administrator or
2. Normal user
• Administrator – access to everything
• Normal user – many system level tasks you needed
to do, you couldn't do
– Consequently, most people ran as
Administrator most of the time
Windows Privilege Levels
• Vista and Windows 7
– Have more choices
– Can operate as a restricted normal user and
still be able to do almost everything in OS
– And when necessary, you can be elevated to
an administrator for a short time to accomplish
some task
– Called UAC – User Account Control
http://technet.microsoft.com/enus/library/cc772207%28v=WS.10%29.aspx
User Account Control
What does it do?
UAC allows an administrator to enter credentials
during a non-administrator's user session
to perform occasional administrative tasks
without having to switch users, log off, or use the
Run as command
UAC also can also require administrators to
specifically approve applications that will make
"system-wide" changes before those
applications are allowed to run, even in the
administrator's user session
User Account Control

Windows Vista and 7, how it works:

Admin Approval Mode (AAM), by default, is
not enabled for the Built-in Administrator
Account in Windows Vista or 7

Built-in Administrator Account is disabled
by default in Windows Vista, and first user
account created is placed in local Administrators
group, and AAM is enabled for that account
Benefits of UAC



Admin Approval Mode helps prevent malicious
programs from silently installing without an
administrator's knowledge
It also helps protect from inadvertent system-wide
changes
Lastly, it can be used to enforce a higher level of
compliance where administrators must actively consent
or provide credentials for each administrative process
Tasks Only Administrators Can
Perform














Create, change, and delete user accounts and groups
Install and uninstall programs
Configure automatic updating or install Windows updates manually
Install an ActiveX control
Install or remove hardware device drivers
Share folders
Set permissions
Access all files, including those in another user’s folder
Take ownership of files
Copy or move files into the %ProgramFiles% or %SystemRoot%
folders
Restore backed-up system files
Grant rights to other user accounts and to themselves
Configure Parental Controls
Configure Windows Firewall
Tasks Available to Standard Users

Change the password and picture for their own user
account
 Use programs that have been installed on the computer
 Install approved ActiveX controls
 Configure a secure Wi-Fi connection
 View permissions
 Create, change, and delete files in their document
folders and in shared document folders
 Restore their own backed-up files
 View the system clock and calendar, and change the
time zone
 Configure power options
 Log on in Safe Mode
Summary

Operating Systems by design
Helps or hinders security

Users and processes have access to
resources on a given system
According to their identities and group
affiliations

Want the concept of Least Privilege to
be in effect
Use the least privilege level to get the job done
Helps with restricting access by potential bad
The End
• Next Time: More Desktop
• Next: Vista Lab, meet in CEB 342 according to the
day you signed up