Published on

Security in ordinary OS, UNIX

UNIX System

Unix was developed by Bell Labs(Ken Thompson, Dennis Ritchie, and Douglas Mcllroy) in the late 1960s and early 1970s. It is a multi-user operating system that provides protection from other users and protection for system services from users. Unix was designed as a simpler and faster alternative to Multics.

UNIX Security

  • A running Unix system consists of the operating system kernel and many processes, each running a program. The protection ring isolates the Unix kernel from the processes, and each process has its own address space.
  • Unix uses the concept of files for all persistent system objects, such as secondary storage, I/O devices, network, and inter-process communication.
  • Unix security aims to protect users from each other and to protect the Trusted Computing Base (TCB) from all users.
  • The UNIX TCB (Trusted Computing Base) consists of the kernel and several processes that run with the identity of the privileged user, root, or superuser.
  • These root processes provide various services, including system boot, user authentication, administration, and network services.
  • A Unix process is associated with an identity based on the user associated with the process. Access to files is limited by the process's identity.
    • Each user owns a set of files - providing a simple way to express who else can access them. All user processes run as that user.
    • The system owns a set of files - The root user is defined as the system principal and can access anything.
    • Users can invoke system services but need to switch to the root user (setuid) to do so.
  • Both the kernel and root processes have full system access.
  • The UNIX DAC security model cannot express security requirements, as many rights are accessible by default, and means for limiting rights are impractical.
  • The use of UNIX mechanisms has evolved over time, resulting in vulnerabilities.

Protection System

  • Implements a classical protection system, not a secure protection system.
  • The Unix protection system consists of a protection state and a set of operations that enable processes to modify that state. Thus, UNIX is a discretionary access control (DAC) system.
  • Aspects of a Secure Protection System:
    • The Unix protection system defines a transition state that describes how processes change between protection domains.
    • The labeling state is largely ad hoc. Trusted services associate processes with user identities, but users can control the assignment of permissions to system resources.
    • In the final analysis, these mechanisms and the DAC are insufficient to build a system that satisfies the secure OS requirements.

Protection status:

  • Subjects
    • Users
    • Groups
    • The process accesses objects on behalf of the corresponding user.
  • Objects
    • Files
    • Directories
  • Operations
    • Read
    • Write
    • Execute

Subjects:

  • Users:
    • username
    • uid
    • groups
    • Special user - root
    • Nobody - special user with no ownership and belonging to no groups
  • Process:
    • uid, gid - real user id, effective user id, and file system user id
    • Users run processes.
  • Groups:
    • Users belong to one or more groups.
    • The primary group is defined in /etc/passwd.
    • All other groups are defined in /etc/group.
    • Commands to change group membership (newgrp).
    • Group membership grants additional permissions beyond uid.

Challenges:

  • Unix is more focused on protection than security. It assumes a non-malicious user and a trusted system by default.
  • One challenge in Unix is the Discretionary Access Control (DAC) system, which allows a user or their processes to update permission assignments. This means that each program has all the user's rights, and the user must trust that their processes are not malicious.
  • Another challenge is assigning file permissions based on what is necessary for things to work. Unfortunately, this means that all user processes are granted full access, and services have unrestricted access. Furthermore, users can invoke setuid(root) processes with all rights, which means they must trust the system processes.

Authentication

  • Login Process:
    • Starts at boot time and runs as root.
    • Takes a username and password.
    • Applies crypt() to the password with stored salt.
    • Compares the resulting password to the value in /etc/shadow for that user.
  • Start a process for a user:
    • Execute the file specified as login in /etc/passwd.
    • The identification (uid, gid, groups) is set by the login.

Authorization

The file's owner UID must be equal to the process's effective UID, and the file's group GID must be a member of the process's active group.

UID Transition

  • During the login process, the user ID is root
  • After authentication, the user ID for the shell becomes "paolo".
  • Setuid enables a user to escalate privileges and define the execution environment.
  • Services must protect themselves, otherwise, a user might gain root access.

UNIX Object

  • Unix objects are represented as files, which can be categorized into:
    • Regular files
    • Device files
    • Socket files
    • FIFO files
    • Link files
  • Directories are a hierarchical organization of files. A file's path is a sequence of directories followed by the file name.
  • Beyond socket files, there is no network access control.

Permissions

File permissions are divided into three categories: Owner, Group, and Others.

The three types of permissions are Read, Write, and Execute, represented by rwx

ex) chmod 644 file - owner can read/write, group, others can read only.

  • chmod is a command used to change the permissions of a file.
  • chown is a command used to change the owner of a file.
  • chgrp is a command used to change the group of a file.

Chroot

Chroot is a way to create a domain in which a process is confined. The process can only read and write within a filesystem subtree, which applies to all descendant processes. You can also carry file descriptors in a 'chroot jail'. Setting up requires great care because, unfortunately, chroot can trick its own system.

UNIX vulnerabilities

  • Some UNIX functions have security problems, including:
    • The ability to mount a CD-ROM
    • The ability to mount a filesystem with privileged functions
  • These vulnerabilities can either be system-wide issues or require careful programming to prevent buffer overflows.
  • Mount vulnerabilities occur when multiple file systems on different physical devices are mounted under the same directory (/), and when a file system is mounted with a setuid program.
  • Link vulnerabilities include adding a new path to an inode, assigning multiple names to a single node, and requiring programs to know which files they are using.
  • Device file vulnerabilities can bypass access control by accessing memory or user inputs.
  • The /tmp vulnerability involves creating a file in the shared space (/tmp), giving it a filename used by a higher authority service, and ensuring that the service can access the file.

Linux Vulnerabilities

  • Buffer overflows
  • Race conditions
  • Abuse of programs running with "setuid root"
  • Denial of service attacks(DOS)
  • Web application vulnerabilities
  • Rootkit attacks

System Security Tools

  • Bastille: A comprehensive system-hardening utility that educates as it secures.
  • Tripwire: A utility that maintains a database of crucial system file characteristics and reports all changes made to them.
  • Snort: A powerful, free intrusion detection system (IDS) that detects common network-based attacks.
  • Nessus: A modular security scanner that probes for common system and application vulnerabilities.