secure architecture principles - stanford university
TRANSCRIPT
JohnMitchell
SecureArchitecturePrinciples
CS155 Spring2016
• IsolationandLeastPrivilege• AccessControlConcepts• OperatingSystems• BrowserIsolationandLeastPrivilege
JohnMitchell
SecureArchitecturePrinciples
IsolationandLeastPrivilege
JohnMitchell
PrinciplesofSecureDesign• Compartmentalization
– Isolation– Principleofleastprivilege
• Defenseindepth– Usemorethanonesecuritymechanism– Securetheweakestlink– Failsecurely
• Keepitsimple
JohnMitchell
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentalizationandisolation
– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmodule shouldonlyhavetheminimalprivileges neededforitsintendedpurposes
JohnMitchell
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentalizationandisolation
– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmodule shouldonlyhavetheminimalprivileges neededforitsintendedpurposes
JohnMitchell
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
JohnMitchell
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
JohnMitchell
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
JohnMitchell
Componentdesign
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
JohnMitchell
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
JohnMitchell
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
JohnMitchell
PrincipleofLeastPrivilege• What’saprivilege?
– Abilitytoaccessormodifyaresource• Assumecompartmentalizationandisolation
– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmodule shouldonlyhavetheminimalprivileges neededforitsintendedpurposes
JohnMitchell
Example:MailAgent• Requirements
– Receiveandsendemailoverexternalnetwork– Placeincomingemailintolocaluserinboxfiles
• Sendmail– TraditionalUnix– Monolithicdesign– Historicalsourceofmanyvulnerabilities
• Qmail– Compartmentalizeddesign
JohnMitchell
OSBasics(beforeexamples)
• Isolationbetweenprocesses– EachprocesshasaUID
• TwoprocesseswithsameUIDhavesamepermissions– Aprocessmayaccessfiles,networksockets,….
• PermissiongrantedaccordingtoUID• Relationtopreviousterminology
– CompartmentdefinedbyUID– Privilegesdefinedbyactionsallowedonsystemresources
JohnMitchell
Qmail design• IsolationbasedonOSisolation
– Separatemodulesrunasseparate“users”– Eachuseronlyhasaccesstospecificresources
• Leastprivilege– MinimalprivilegesforeachUID– Onlyone“setuid”program
• setuid allowsaprogramtorunasdifferentusers– Onlyone“root”program
• rootprogramhasallprivileges
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
Incoming external mail Incoming internal mail
JohnMitchell
IsolationbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmailduser
qmailq
qmailsqmailr
qmailr
root
usersetuid user
qmailq – user who is allowed to read/write mail queue
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queueReadsincomingmaildirectoriesSplitsmessageintoheader,bodySignalsqmail-send
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queueqmail-sendsignals
• qmail-lspawn iflocal• qmail-remoteifremote
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-local
qmail-lspawn
qmail-send
qmail-inject
qmail-queue
qmail-lspawn• Spawnsqmail-local• qmail-localrunswithIDofuserreceivinglocalmail
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-local
qmail-lspawn
qmail-send
qmail-inject
qmail-queue
qmail-local• Handlesaliasexpansion• Deliverslocalmail• Callsqmail-queue ifneeded
JohnMitchell
Structureofqmail
qmail-smtpd
qmail-remote
qmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmail-remote• DeliversmessagetoremoteMTA
JohnMitchell
root
IsolationbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmailduser
qmailq
qmailsqmailr
qmailr usersetuid user
qmailq – user who is allowed to read/write mail queue
setuid
root
JohnMitchell
Leastprivilege
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
root
setuid
JohnMitchell
Androidprocessisolation
• Androidapplicationsandbox– Isolation:EachapplicationrunswithitsownUIDinownVM
• Providesmemoryprotection• CommunicationlimitedtousingUnixdomainsockets• Onlyping,zygote(spawnanotherprocess)runasroot
– Interaction:referencemonitorcheckspermissionsoninter-componentcommunication
– LeastPrivilege:Applicationsannouncespermission• Usergrantsaccessatinstalltime
JohnMitchell
JohnMitchell
App
JohnMitchell
Discussion?• PrincipleofLeastPrivilege• Qmail example• Androidappsandboxexample
JohnMitchell
SecureArchitecturePrinciples
AccessControlConcepts
JohnMitchell
Accesscontrol• Assumptions
– Systemknowswhotheuseris• Authenticationvianameandpassword,othercredential
– Accessrequestspassthroughgatekeeper(referencemonitor)• Systemmustnotallowmonitortobebypassed
ResourceUser
process
Referencemonitor
accessrequest
policy
?
JohnMitchell
Accesscontrolmatrix[Lampson]
File 1 File 2 File 3 … File n
User 1 read write - - read
User 2 write write write - -
User 3 - - - read read
…
User m read write read write read
Subjects
Objects
JohnMitchell
Implementationconcepts• Accesscontrollist(ACL)
– Storecolumnofmatrixwiththeresource
• Capability– Userholdsa“ticket”foreachresource
– Twovariations• storerowofmatrixwithuser,underOScontrol• unforgeable ticket inuserspace
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Accesscontrollistsarewidelyused,oftenwithgroupsSomeaspectsofcapabilityconceptareusedinmanysystems
JohnMitchell
ACLvsCapabilities• Accesscontrollist
– Associatelistwitheachobject– Checkuser/groupagainstlist– Reliesonauthentication:needtoknowuser
• Capabilities– Capabilityisunforgeableticket
• Randombitsequence,ormanagedbyOS• Canbepassedfromoneprocesstoanother
– Referencemonitorchecksticket• Doesnotneedtoknowidentifyofuser/process
JohnMitchell
ACLvsCapabilities
ProcessPUserU
ProcessQUserU
ProcessRUserU
ProcessPCapabilty c,d,e
ProcessQ
ProcessRCapabilty c
Capabilty c,e
JohnMitchell
ACLvsCapabilities• Delegation
– Cap:Processcanpasscapabilityatruntime– ACL:Trytogetownertoaddpermissiontolist?
• Morecommon:letotherprocessactundercurrentuser• Revocation
– ACL:Removeuserorgroupfromlist– Cap:Trytogetcapabilitybackfromprocess?
• Possibleinsomesystemsifappropriatebookkeeping– OSknowswhichdataiscapability– Ifcapabilityisusedformultipleresources,havetorevokeallornone…
• Indirection:capabilitypointstopointertoresource– IfC® P® R,thenrevokecapabilityCbysettingP=0
JohnMitchell
Roles(akaGroups)• Role=setofusers
– Administrator,PowerUser,User,Guest– Assignpermissionstoroles;eachusergetspermission
• Rolehierarchy– Partialorderofroles– Eachrolegets
permissionsofrolesbelow– Listonlynewpermissionsgiventoeachrole
Administrator
Guest
PowerUser
User
JohnMitchell
Role-BasedAccessControlIndividuals Roles Resources
engineering
marketing
humanres
Server1
Server3
Server2
Advantage:userschangemorefrequentlythanroles
JohnMitchell
Accesscontrolsummary• Accesscontrolinvolvesreferencemonitor
– Checkpermissions:áuserinfo,actionñ® yes/no– Important:nowayaroundthischeck
• Accesscontrolmatrix– Accesscontrollistsvscapabilities– Advantagesanddisadvantagesofeach
• Role-basedaccesscontrol– Usegroupas“userinfo”;usegrouphierarchies
JohnMitchell
Discussion?• Accesscontrolmatrix
– Accesscontrollist(ACL)– Capabilities
• Role-basedaccesscontrol
JohnMitchell
SecureArchitecturePrinciples
OperatingSystems
JohnMitchell
Unixaccesscontrol
• Processhasuserid– Inheritfromcreatingprocess– Processcanchangeid
• Restrictedsetofoptions– Special“root”id
• Allaccessallowed• Filehasaccesscontrollist(ACL)
– Grantspermissiontouserids– Owner,group,other
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
JohnMitchell
Unixfileaccesscontrollist• Eachfilehasownerandgroup• Permissionssetbyowner
– Read,write,execute– Owner,group,other– Representedbyvectorof
fouroctalvalues• Onlyowner,rootcanchangepermissions
– Thisprivilegecannotbedelegatedorshared• Setid bits– Discussinafewslides
rwx rwxrwx-ownr grp othr
setid
JohnMitchell
Question• Ownercanhavefewerprivilegesthanother
– Whathappens?• Ownergetsaccess?• Ownerdoesnot?
Prioritizedresolutionofdifferencesifuser=ownerthenownerpermission
elseifuseringroupthengrouppermissionelseotherpermission
JohnMitchell
Processeffectiveuserid(EUID)• EachprocesshasthreeIds(+moreunderLinux)
– RealuserID(RUID)• sameastheuserIDofparent(unlesschanged)• usedtodeterminewhichuserstartedtheprocess
– EffectiveuserID(EUID)• fromsetuserIDbitonthefilebeingexecuted,orsyscall• determinesthepermissionsforprocess
– fileaccessandportbinding– SaveduserID(SUID)
• SopreviousEUIDcanberestored
• RealgroupID,effectivegroupID,usedsimilarly
JohnMitchell
ProcessOperationsandIDs• Root
– ID=0forsuperuser root;canaccessanyfile• ForkandExec
– InheritthreeIDs,exceptexecoffilewithsetuid bit• Setuid systemcall
– seteuid(newid)cansetEUIDto• RealIDorsavedID,regardlessofcurrentEUID• AnyID,ifEUID=0
• Detailsareactuallymorecomplicated– Severaldifferentcalls:setuid,seteuid,setreuid
JohnMitchell
SetidbitsonexecutableUnixfile• Threesetidbits
– Setuid– setEUIDofprocesstoIDoffileowner– Setgid– setEGIDofprocesstoGIDoffile– Sticky
• Off:ifuserhaswritepermissionondirectory,canrenameorremovefiles,evenifnotowner
• On:onlyfileowner,directoryowner,androotcanrenameorremovefileinthedirectory
JohnMitchell
Example
…;…;exec();
RUID25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID25EUID18
RUID25EUID25
-rw-r--r--file
-rw-r--r--file
Owner18
Owner25
read/write
read/write
Owner18
JohnMitchell
Unixsummary• Goodthings
– Someprotectionfrommostusers– Flexibleenoughtomakethingspossible
• Mainlimitation– Tootemptingtouserootprivileges– Nowaytoassumesomerootprivilegeswithoutallrootprivileges
JohnMitchell
Weaknessinisolation,privileges• Network-facingDaemons
– Rootprocesseswithnetworkportsopentoallremoteparties,e.g.,sshd,ftpd,sendmail,…
• Rootkits– Systemextensionviadynamicallyloadedkernelmodules
• EnvironmentVariables– SystemvariablessuchasLIBPATHthataresharedstateacross
applications.AnattackercanchangeLIBPATHtoloadanattacker-providedfileasadynamiclibrary
JohnMitchell
Weaknessinisolation,privileges• SharedResources
– Sinceanyprocesscancreatefilesin/tmp directory,anuntrustedprocessmaycreatefilesthatareusedbyarbitrarysystemprocesses
• Time-of-Check-to-Time-of-Use(TOCTTOU)– Typically,arootprocessusessystemcalltodetermineifinitiatinguser
haspermissiontoaparticularfile,e.g./tmp/X.– Afteraccessisauthorizedandbeforethefileopen,usermaychange
thefile/tmp/Xtoasymboliclinktoatargetfile/etc/shadow.
JohnMitchell
AccesscontrolinWindows• SomebasicfunctionalitysimilartoUnix
– Specifyaccessforgroupsandusers• Read,modify,changeowner,delete
• Someadditionalconcepts– Tokens– Securityattributes
• Generally– MoreflexiblethanUnix
• Candefinenewpermissions• Cantransfersomebutnotallprivileges(cf. capabilities)
JohnMitchell
JohnMitchell
Processhassetoftokens• Securitycontext
– Privileges,accounts,andgroupsassociatedwiththeprocessorthread
– Presentedassetoftokens• Impersonationtoken
– Usedtemporarilytoadoptadifferentsecuritycontext,usuallyofanotheruser
JohnMitchell
Objecthassecuritydescriptor• Specifieswhocanperformwhatactionsontheobject
– Header(revisionnumber,controlflags,…)– SIDoftheobject'sowner– SIDoftheprimarygroupoftheobject– Twoattachedoptionallists:
• DiscretionaryAccessControlList(DACL)– users,groups,…• SystemAccessControlList(SACL)– systemlogs,..
JohnMitchell
Exampleaccessrequest
Group1:AdministratorsGroup2:Writers
Controlflags
GroupSIDDACLPointerSACLPointer
DenyWritersRead,WriteAllowMarkRead,Write
OwnerSID
RevisionNumber
Accesstoken
Securitydescriptor
Accessrequest:writeAction:denied
• User Mark requests write permission• Descriptor denies permission to group• Reference Monitor denies request(DACL for access, SACL for audit and logging)
Priority:ExplicitDenyExplicitAllowInheritedDenyInheritedAllow
User:Mark
JohnMitchell
ImpersonationTokens(comparetosetuid)
• Processadoptssecurityattributesofanother– Clientpassesimpersonationtokentoserver
• Clientspecifiesimpersonationlevelofserver– Anonymous
• Tokenhasnoinformationabouttheclient– Identification
• ObtaintheSIDsofclientandclient'sprivileges,butservercannotimpersonatetheclient
– Impersonation• Impersonatetheclient
– Delegation• Letsserverimpersonateclientonlocal,remotesystems
JohnMitchell
Weaknessinisolation,privileges• SimilarproblemstoUnix
– E.g.,Rootkitsleveragingdynamicallyloadedkernelmodules• WindowsRegistry
– Globalhierarchicaldatabasetostoredataforallprograms– Registryentrycanbeassociatedwithasecuritycontextthat
limitsaccess;commontobeabletowritesensitiveentry• EnabledByDefault
– Historically,manyWindowsdeploymentsalsocamewithfullpermissionsandfunctionalityenabled
JohnMitchell
Discussion?• Unixaccesscontrol
– Whatinformationisassociatedwithaprocess?– Whatinformationisassociatedwitharesource(file)?– Howaretheycompared?– Whatformofdelegationorauthorityispossible?
• Windowsaccesscontrol– Whatinformationisassociatedwithaprocess?– Whatinformationisassociatedwitharesource(file)?– Howaretheycompared?– Whatformofdelegationorauthorityispossible?
• Comparison,prosandcons?
JohnMitchell
SecureArchitecturePrinciples
BrowserIsolationandLeastPrivilege
JohnMitchell
Webbrowser:ananalogy
Operatingsystem• Subject:Processes
– HasUserID(UID,SID)– Discretionaryaccesscontrol
• Objects– File– Network– …
• Vulnerabilities– Untrustedprograms– Bufferoverflow– …
Webbrowser• Subject:webcontent(JavaScript)
– Has“Origin”– Mandatoryaccesscontrol
• Objects– Documentobjectmodel– Frames– Cookies/localStorage
• Vulnerabilities– Cross-sitescripting– Implementationbugs– …
Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowserimplementationiscorrupted,thismechanismbecomesunreliable.
JohnMitchell
Componentsofsecuritypolicy• Frame-Framerelationships
– canScript(A,B)• CanFrameAexecuteascriptthatmanipulatesarbitrary/nontrivialDOMelementsofFrameB?
– canNavigate(A,B)• CanFrameAchangetheoriginofcontentforFrameB?
• Frame-principalrelationships– readCookie(A,S),writeCookie(A,S)
• CanFrameAread/writecookiesfromsiteS?
JohnMitchell
ChromiumSecurityArchitecture
• Browser("kernel")– Fullprivileges(filesystem,networking)
• Renderingengine– Upto20processes– Sandboxed
• Oneprocessperplugin– Fullprivileges ofbrowser
JohnMitchell
Chromium
Communicatingsandboxedcomponents
See:http://dev.chromium.org/developers/design-documents/sandbox/
JohnMitchell
DesignDecisions• Compatibility
– Sitesrelyontheexistingbrowsersecuritypolicy– Browserisonlyasusefulasthesitesitcanrender– Rulesoutmore“cleanslate”approaches
• BlackBox– OnlyrenderermayparseHTML,JavaScript,etc.– Kernelenforcescoarse-grainedsecuritypolicy– Renderertoenforcesfiner-grainedpolicydecisions
• MinimizeUserDecisions
JohnMitchell
TaskAllocation
JohnMitchell
LeverageOSIsolation• SandboxbasedonfourOSmechanisms
– Arestrictedtoken– TheWindows job object– TheWindows desktopobject– Windowsintegritylevels
• Specifically,therenderingengine– adjustssecuritytokenbyconvertingSIDStoDENY_ONLY,adding
restrictedSID,andcallingAdjustTokenPrivileges– runsinaWindowsJobObject,restrictingabilitytocreatenew
processes,readorwriteclipboard,..– runsonaseparatedesktop,mitigatinglaxsecuritycheckingofsome
WindowsAPIsSee:http://dev.chromium.org/developers/design-documents/sandbox/
JohnMitchell
Evaluation:CVEcount
• TotalCVEs:
• Arbitrarycodeexecutionvulnerabilities:
JohnMitchell
Discussion?• HowdoesChromearchitectureuseprincipleofleastprivilege?
– Whataretheisolatedmodules?– Whichprivilegesaregiventoeachmodule?
• Whyisthiseffective?• Arethereotherwaysyoucoulduseoperatingsystemfeatures
toimproveisolationandleastprivilege?
JohnMitchell
Summary• Securityprinciples
– Isolation– PrincipleofLeastPrivilege– Qmail example
• AccessControlConcepts– Matrix,ACL,Capabilities
• OSMechanisms– Unix:UID,ACL,Setuid– Windows:SID,Tokens,SecurityDescriptor,Impersonation
• Browsersecurityarchitecture– Isolationandleastprivilegeexample