JohnMitchell
SecureArchitecturePrinciples
CS155 Spring2016
• IsolationandLeastPrivilege• AccessControlConcepts• OperatingSystems• BrowserIsolationandLeastPrivilege
JohnMitchell
PrinciplesofSecureDesign• Compartmentalization
– Isolation– Principleofleastprivilege
• Defenseindepth– Usemorethanonesecuritymechanism– Securetheweakestlink– Failsecurely
• Keepitsimple
JohnMitchell
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentalizationandisolation
– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmodule shouldonlyhavetheminimalprivileges neededforitsintendedpurposes
JohnMitchell
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentalizationandisolation
– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmodule shouldonlyhavetheminimalprivileges neededforitsintendedpurposes
JohnMitchell
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentalizationandisolation
– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmodule shouldonlyhavetheminimalprivileges neededforitsintendedpurposes
JohnMitchell
Example:MailAgent• Requirements
– Receiveandsendemailoverexternalnetwork– Placeincomingemailintolocaluserinboxfiles
• Sendmail– TraditionalUnix– Monolithicdesign– Historicalsourceofmanyvulnerabilities
• Qmail– Compartmentalizeddesign
JohnMitchell
OSBasics(beforeexamples)
• Isolationbetweenprocesses– EachprocesshasaUID
• TwoprocesseswithsameUIDhavesamepermissions– Aprocessmayaccessfiles,networksockets,….
• PermissiongrantedaccordingtoUID• Relationtopreviousterminology
– CompartmentdefinedbyUID– Privilegesdefinedbyactionsallowedonsystemresources
JohnMitchell
Qmail design• IsolationbasedonOSisolation
– Separatemodulesrunasseparate“users”– Eachuseronlyhasaccesstospecificresources
• Leastprivilege– MinimalprivilegesforeachUID– Onlyone“setuid”program
• setuid allowsaprogramtorunasdifferentusers– Onlyone“root”program
• rootprogramhasallprivileges
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
Incoming external mail Incoming internal mail
JohnMitchell
IsolationbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmailduser
qmailq
qmailsqmailr
qmailr
root
usersetuid user
qmailq – user who is allowed to read/write mail queue
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queueReadsincomingmaildirectoriesSplitsmessageintoheader,bodySignalsqmail-send
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queueqmail-sendsignals
• qmail-lspawn iflocal• qmail-remoteifremote
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-local
qmail-lspawn
qmail-send
qmail-inject
qmail-queue
qmail-lspawn• Spawnsqmail-local• qmail-localrunswithIDofuserreceivinglocalmail
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-local
qmail-lspawn
qmail-send
qmail-inject
qmail-queue
qmail-local• Handlesaliasexpansion• Deliverslocalmail• Callsqmail-queue ifneeded
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-remote
qmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmail-remote• DeliversmessagetoremoteMTA
JohnMitchell
root
IsolationbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmailduser
qmailq
qmailsqmailr
qmailr usersetuid user
qmailq – user who is allowed to read/write mail queue
setuid
root
JohnMitchell
Leastprivilege
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
root
setuid
JohnMitchell
Androidprocessisolation
• Androidapplicationsandbox– Isolation:EachapplicationrunswithitsownUIDinownVM
• Providesmemoryprotection• CommunicationlimitedtousingUnixdomainsockets• Onlyping,zygote(spawnanotherprocess)runasroot
– Interaction:referencemonitorcheckspermissionsoninter-componentcommunication
– LeastPrivilege:Applicationsannouncespermission• Usergrantsaccessatinstalltime
JohnMitchell
Accesscontrol• Assumptions
– Systemknowswhotheuseris• Authenticationvianameandpassword,othercredential
– Accessrequestspassthroughgatekeeper(referencemonitor)• Systemmustnotallowmonitortobebypassed
ResourceUser
process
Referencemonitor
accessrequest
policy
?
JohnMitchell
Accesscontrolmatrix[Lampson]
File 1 File 2 File 3 … File n
User 1 read write - - read
User 2 write write write - -
User 3 - - - read read
…
User m read write read write read
Subjects
Objects
JohnMitchell
Implementationconcepts• Accesscontrollist(ACL)
– Storecolumnofmatrixwiththeresource
• Capability– Userholdsa“ticket”foreachresource
– Twovariations• storerowofmatrixwithuser,underOScontrol• unforgeable ticket inuserspace
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Accesscontrollistsarewidelyused,oftenwithgroupsSomeaspectsofcapabilityconceptareusedinmanysystems
JohnMitchell
ACLvsCapabilities• Accesscontrollist
– Associatelistwitheachobject– Checkuser/groupagainstlist– Reliesonauthentication:needtoknowuser
• Capabilities– Capabilityisunforgeableticket
• Randombitsequence,ormanagedbyOS• Canbepassedfromoneprocesstoanother
– Referencemonitorchecksticket• Doesnotneedtoknowidentifyofuser/process
JohnMitchell
ACLvsCapabilities
ProcessPUserU
ProcessQUserU
ProcessRUserU
ProcessPCapabilty c,d,e
ProcessQ
ProcessRCapabilty c
Capabilty c,e
JohnMitchell
ACLvsCapabilities• Delegation
– Cap:Processcanpasscapabilityatruntime– ACL:Trytogetownertoaddpermissiontolist?
• Morecommon:letotherprocessactundercurrentuser• Revocation
– ACL:Removeuserorgroupfromlist– Cap:Trytogetcapabilitybackfromprocess?
• Possibleinsomesystemsifappropriatebookkeeping– OSknowswhichdataiscapability– Ifcapabilityisusedformultipleresources,havetorevokeallornone…
• Indirection:capabilitypointstopointertoresource– IfC® P® R,thenrevokecapabilityCbysettingP=0
JohnMitchell
Roles(akaGroups)• Role=setofusers
– Administrator,PowerUser,User,Guest– Assignpermissionstoroles;eachusergetspermission
• Rolehierarchy– Partialorderofroles– Eachrolegets
permissionsofrolesbelow– Listonlynewpermissionsgiventoeachrole
Administrator
Guest
PowerUser
User
JohnMitchell
Role-BasedAccessControlIndividuals Roles Resources
engineering
marketing
humanres
Server1
Server3
Server2
Advantage:userschangemorefrequentlythanroles
JohnMitchell
Accesscontrolsummary• Accesscontrolinvolvesreferencemonitor
– Checkpermissions:áuserinfo,actionñ® yes/no– Important:nowayaroundthischeck
• Accesscontrolmatrix– Accesscontrollistsvscapabilities– Advantagesanddisadvantagesofeach
• Role-basedaccesscontrol– Usegroupas“userinfo”;usegrouphierarchies
JohnMitchell
Discussion?• Accesscontrolmatrix
– Accesscontrollist(ACL)– Capabilities
• Role-basedaccesscontrol
JohnMitchell
Unixaccesscontrol
• Processhasuserid– Inheritfromcreatingprocess– Processcanchangeid
• Restrictedsetofoptions– Special“root”id
• Allaccessallowed• Filehasaccesscontrollist(ACL)
– Grantspermissiontouserids– Owner,group,other
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
JohnMitchell
Unixfileaccesscontrollist• Eachfilehasownerandgroup• Permissionssetbyowner
– Read,write,execute– Owner,group,other– Representedbyvectorof
fouroctalvalues• Onlyowner,rootcanchangepermissions
– Thisprivilegecannotbedelegatedorshared• Setid bits– Discussinafewslides
rwx rwxrwx-ownr grp othr
setid
JohnMitchell
Question• Ownercanhavefewerprivilegesthanother
– Whathappens?• Ownergetsaccess?• Ownerdoesnot?
Prioritizedresolutionofdifferencesifuser=ownerthenownerpermission
elseifuseringroupthengrouppermissionelseotherpermission
JohnMitchell
Processeffectiveuserid(EUID)• EachprocesshasthreeIds(+moreunderLinux)
– RealuserID(RUID)• sameastheuserIDofparent(unlesschanged)• usedtodeterminewhichuserstartedtheprocess
– EffectiveuserID(EUID)• fromsetuserIDbitonthefilebeingexecuted,orsyscall• determinesthepermissionsforprocess
– fileaccessandportbinding– SaveduserID(SUID)
• SopreviousEUIDcanberestored
• RealgroupID,effectivegroupID,usedsimilarly
JohnMitchell
ProcessOperationsandIDs• Root
– ID=0forsuperuser root;canaccessanyfile• ForkandExec
– InheritthreeIDs,exceptexecoffilewithsetuid bit• Setuid systemcall
– seteuid(newid)cansetEUIDto• RealIDorsavedID,regardlessofcurrentEUID• AnyID,ifEUID=0
• Detailsareactuallymorecomplicated– Severaldifferentcalls:setuid,seteuid,setreuid
JohnMitchell
SetidbitsonexecutableUnixfile• Threesetidbits
– Setuid– setEUIDofprocesstoIDoffileowner– Setgid– setEGIDofprocesstoGIDoffile– Sticky
• Off:ifuserhaswritepermissionondirectory,canrenameorremovefiles,evenifnotowner
• On:onlyfileowner,directoryowner,androotcanrenameorremovefileinthedirectory
JohnMitchell
Example
…;…;exec();
RUID25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID25EUID18
RUID25EUID25
-rw-r--r--file
-rw-r--r--file
Owner18
Owner25
read/write
read/write
Owner18
JohnMitchell
Unixsummary• Goodthings
– Someprotectionfrommostusers– Flexibleenoughtomakethingspossible
• Mainlimitation– Tootemptingtouserootprivileges– Nowaytoassumesomerootprivilegeswithoutallrootprivileges
JohnMitchell
Weaknessinisolation,privileges• Network-facingDaemons
– Rootprocesseswithnetworkportsopentoallremoteparties,e.g.,sshd,ftpd,sendmail,…
• Rootkits– Systemextensionviadynamicallyloadedkernelmodules
• EnvironmentVariables– SystemvariablessuchasLIBPATHthataresharedstateacross
applications.AnattackercanchangeLIBPATHtoloadanattacker-providedfileasadynamiclibrary
JohnMitchell
Weaknessinisolation,privileges• SharedResources
– Sinceanyprocesscancreatefilesin/tmp directory,anuntrustedprocessmaycreatefilesthatareusedbyarbitrarysystemprocesses
• Time-of-Check-to-Time-of-Use(TOCTTOU)– Typically,arootprocessusessystemcalltodetermineifinitiatinguser
haspermissiontoaparticularfile,e.g./tmp/X.– Afteraccessisauthorizedandbeforethefileopen,usermaychange
thefile/tmp/Xtoasymboliclinktoatargetfile/etc/shadow.
JohnMitchell
AccesscontrolinWindows• SomebasicfunctionalitysimilartoUnix
– Specifyaccessforgroupsandusers• Read,modify,changeowner,delete
• Someadditionalconcepts– Tokens– Securityattributes
• Generally– MoreflexiblethanUnix
• Candefinenewpermissions• Cantransfersomebutnotallprivileges(cf. capabilities)
JohnMitchell
Processhassetoftokens• Securitycontext
– Privileges,accounts,andgroupsassociatedwiththeprocessorthread
– Presentedassetoftokens• Impersonationtoken
– Usedtemporarilytoadoptadifferentsecuritycontext,usuallyofanotheruser
JohnMitchell
Objecthassecuritydescriptor• Specifieswhocanperformwhatactionsontheobject
– Header(revisionnumber,controlflags,…)– SIDoftheobject'sowner– SIDoftheprimarygroupoftheobject– Twoattachedoptionallists:
• DiscretionaryAccessControlList(DACL)– users,groups,…• SystemAccessControlList(SACL)– systemlogs,..
JohnMitchell
Exampleaccessrequest
Group1:AdministratorsGroup2:Writers
Controlflags
GroupSIDDACLPointerSACLPointer
DenyWritersRead,WriteAllowMarkRead,Write
OwnerSID
RevisionNumber
Accesstoken
Securitydescriptor
Accessrequest:writeAction:denied
• User Mark requests write permission• Descriptor denies permission to group• Reference Monitor denies request(DACL for access, SACL for audit and logging)
Priority:ExplicitDenyExplicitAllowInheritedDenyInheritedAllow
User:Mark
JohnMitchell
ImpersonationTokens(comparetosetuid)
• Processadoptssecurityattributesofanother– Clientpassesimpersonationtokentoserver
• Clientspecifiesimpersonationlevelofserver– Anonymous
• Tokenhasnoinformationabouttheclient– Identification
• ObtaintheSIDsofclientandclient'sprivileges,butservercannotimpersonatetheclient
– Impersonation• Impersonatetheclient
– Delegation• Letsserverimpersonateclientonlocal,remotesystems
JohnMitchell
Weaknessinisolation,privileges• SimilarproblemstoUnix
– E.g.,Rootkitsleveragingdynamicallyloadedkernelmodules• WindowsRegistry
– Globalhierarchicaldatabasetostoredataforallprograms– Registryentrycanbeassociatedwithasecuritycontextthat
limitsaccess;commontobeabletowritesensitiveentry• EnabledByDefault
– Historically,manyWindowsdeploymentsalsocamewithfullpermissionsandfunctionalityenabled
JohnMitchell
Discussion?• Unixaccesscontrol
– Whatinformationisassociatedwithaprocess?– Whatinformationisassociatedwitharesource(file)?– Howaretheycompared?– Whatformofdelegationorauthorityispossible?
• Windowsaccesscontrol– Whatinformationisassociatedwithaprocess?– Whatinformationisassociatedwitharesource(file)?– Howaretheycompared?– Whatformofdelegationorauthorityispossible?
• Comparison,prosandcons?
JohnMitchell
Webbrowser:ananalogy
Operatingsystem• Subject:Processes
– HasUserID(UID,SID)– Discretionaryaccesscontrol
• Objects– File– Network– …
• Vulnerabilities– Untrustedprograms– Bufferoverflow– …
Webbrowser• Subject:webcontent(JavaScript)
– Has“Origin”– Mandatoryaccesscontrol
• Objects– Documentobjectmodel– Frames– Cookies/localStorage
• Vulnerabilities– Cross-sitescripting– Implementationbugs– …
Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowserimplementationiscorrupted,thismechanismbecomesunreliable.
JohnMitchell
Componentsofsecuritypolicy• Frame-Framerelationships
– canScript(A,B)• CanFrameAexecuteascriptthatmanipulatesarbitrary/nontrivialDOMelementsofFrameB?
– canNavigate(A,B)• CanFrameAchangetheoriginofcontentforFrameB?
• Frame-principalrelationships– readCookie(A,S),writeCookie(A,S)
• CanFrameAread/writecookiesfromsiteS?
JohnMitchell
ChromiumSecurityArchitecture
• Browser("kernel")– Fullprivileges(filesystem,networking)
• Renderingengine– Upto20processes– Sandboxed
• Oneprocessperplugin– Fullprivileges ofbrowser
JohnMitchell
Chromium
Communicatingsandboxedcomponents
See:http://dev.chromium.org/developers/design-documents/sandbox/
JohnMitchell
DesignDecisions• Compatibility
– Sitesrelyontheexistingbrowsersecuritypolicy– Browserisonlyasusefulasthesitesitcanrender– Rulesoutmore“cleanslate”approaches
• BlackBox– OnlyrenderermayparseHTML,JavaScript,etc.– Kernelenforcescoarse-grainedsecuritypolicy– Renderertoenforcesfiner-grainedpolicydecisions
• MinimizeUserDecisions
JohnMitchell
LeverageOSIsolation• SandboxbasedonfourOSmechanisms
– Arestrictedtoken– TheWindows job object– TheWindows desktopobject– Windowsintegritylevels
• Specifically,therenderingengine– adjustssecuritytokenbyconvertingSIDStoDENY_ONLY,adding
restrictedSID,andcallingAdjustTokenPrivileges– runsinaWindowsJobObject,restrictingabilitytocreatenew
processes,readorwriteclipboard,..– runsonaseparatedesktop,mitigatinglaxsecuritycheckingofsome
WindowsAPIsSee:http://dev.chromium.org/developers/design-documents/sandbox/
JohnMitchell
Discussion?• HowdoesChromearchitectureuseprincipleofleastprivilege?
– Whataretheisolatedmodules?– Whichprivilegesaregiventoeachmodule?
• Whyisthiseffective?• Arethereotherwaysyoucoulduseoperatingsystemfeatures
toimproveisolationandleastprivilege?