Professional Documents
Culture Documents
PrinciplesofSecureDesign
Compartmentalization
Isolation
Principleofleastprivilege
Defenseindepth
Usemorethanonesecuritymechanism
Securetheweakestlink
Failsecurely
Keepitsimple
SecureArchitecture
Principles
Isolationand
LeastPrivilege
JohnMitchell
JohnMitchell
Monolithicdesign
Network
Userinput
System
Filesystem
Monolithicdesign
Network
Network
Userdevice
Userinput
Filesystem
Filesystem
Network
System
Userdevice
Filesystem
JohnMitchell
JohnMitchell
Monolithicdesign
Network
Userinput
Filesystem
System
Componentdesign
Network
Network
Network
Userdisplay
Userinput
Userdisplay
Filesystem
Filesystem
Filesystem
JohnMitchell
JohnMitchell
4/18/2013
Componentdesign
Componentdesign
Network
Network
Network
Network
Userinput
Userdevice
Userinput
Userdevice
Filesystem
Filesystem
Filesystem
Filesystem
JohnMitchell
PrincipleofLeastPrivilege
JohnMitchell
Example:MailAgent
Whatsaprivilege?
Abilitytoaccessormodifyaresource
Assumecompartmentalizationandisolation
Separatethesystemintoindependentmodules
Limitinteractionbetweenmodules
PrincipleofLeastPrivilege
Asystemmodule shouldonlyhavetheminimal
privileges neededforitsintendedpurposes
Requirements
Receiveandsendemailoverexternalnetwork
Placeincomingemailintolocaluserinboxfiles
Sendmail
TraditionalUnix
Monolithicdesign
Historicalsourceofmanyvulnerabilities
Qmail
Comparmentalized design
JohnMitchell
JohnMitchell
Qmail design
Structureofqmail
IsolationbasedonOSisolation
Separatemodulesrunasseparateusers
Eachuseronlyhasaccesstospecificresources
Leastprivilege
Onlyonesetuidprogram
setuid allowsaprogramtorunasdifferentusers
Onlyonerootprogram
rootprogramhasallprivileges
qmailsmtpd
qmailinject
qmailqueue
JohnMitchell
qmailrspawn
qmaillspawn
qmailremote
qmaillocal
JohnMitchell
4/18/2013
IsolationbyUnixUIDs
Structureofqmail
qmaild
qmailq
qmailsmtpd
qmailinject
user
qmailsmtpd
qmailqueue
qmailinject
Readsincomingmaildirectories
Splitsmessageintoheader,body
Signalsqmailsend
qmailsend
qmailr
qmailrspawn
qmailsend
qmails
qmaillspawn
setuid user
qmailr
qmailremote
qmailqueue
root
qmailrspawn
qmaillspawn
qmailremote
qmaillocal
user
qmaillocal
JohnMitchell
JohnMitchell
Structureofqmail
qmailsmtpd
Structureofqmail
qmailinject
qmailsendsignals
qmaillspawn iflocal
qmailremoteifremote
qmailsmtpd
qmailinject
qmailqueue
qmailqueue
qmailsend
qmailsend
qmailrspawn
qmaillspawn
qmailremote
qmaillocal
qmaillspawn
Spawnsqmaillocal
qmaillocalrunswithIDofuser
receivinglocalmail
qmaillspawn
qmaillocal
JohnMitchell
JohnMitchell
Structureofqmail
qmailsmtpd
Structureofqmail
qmailinject
qmailsmtpd
qmailinject
qmailqueue
qmailqueue
qmailsend
qmailsend
qmaillocal
Handlesaliasexpansion
Deliverslocalmail
Callsqmailqueueifneeded
qmaillspawn
qmailrspawn
qmaillocal
qmailremote
JohnMitchell
qmailremote
DeliversmessagetoremoteMTA
JohnMitchell
4/18/2013
IsolationbyUnixUIDs
Leastprivilege
qmaild
qmailq
qmailsmtpd
qmailinject
user
qmailsmtpd
qmailqueue
setuid
qmailinject
setuid
qmailqueue
qmailsend
qmailr
qmailsend
qmails
qmailrspawn
qmaillspawn
setuid user
qmailr
qmailremote
root root
qmailrspawn
qmaillspawn
qmailremote
qmaillocal
root
user
qmaillocal
JohnMitchell
JohnMitchell
Androidprocessisolation
SecureArchitecture
Principles
Androidapplicationsandbox
Isolation:EachapplicationrunswithitsownUIDinownVM
Providesmemoryprotection
CommunicationprotectedusingUnixdomainsockets
Onlyping,zygote(spawnanotherprocess)runasroot
Interaction:referencemonitorcheckspermissionsoninter
componentcommunication
LeastPrivilege:Applicationsannouncespermission
Usergrantsaccessatinstalltime
AccessControl
Concepts
JohnMitchell
Accesscontrol
JohnMitchell
Accesscontrolmatrix[Lampson]
Objects
Assumptions
Systemknowswhotheuseris
File 1
File 2
File 3
User 1
read
write
read
User 2
write
write
write
User 3
read
read
read
write
read
write
read
Authenticationvianameandpassword,othercredential
Accessrequestspassthroughgatekeeper(referencemonitor)
Systemmustnotallowmonitortobebypassed
User
process
Reference
monitor
accessrequest
Subjects
Resource
File n
User m
policy
JohnMitchell
JohnMitchell
4/18/2013
Twoimplementationconcepts
File 1
Accesscontrollist(ACL)
User 1
read
Storecolumnofmatrix
User 2
write
withtheresource
User 3
Capability
Userholdsaticketfor
eachresource
User m
Read
Twovariations
storerowofmatrixwithuser,underOScontrol
unforgeable ticketinuserspace
File 2
ACLvsCapabilities
write
write
read
write
write
Accesscontrollistsarewidelyused,oftenwithgroups
Someaspectsofcapabilityconceptareusedinmanysystems
JohnMitchell
Accesscontrollist
Associatelistwitheachobject
Checkuser/groupagainstlist
Reliesonauthentication:needtoknowuser
Capabilities
Capabilityisunforgeableticket
Randombitsequence,ormanagedbyOS
Canbepassedfromoneprocesstoanother
Referencemonitorchecksticket
Doesnotneedtoknowidentifyofuser/process
ACLvsCapabilities
ACLvsCapabilities
UserU
Capabilty c,d,e
ProcessP
ProcessP
UserU
ProcessQ
Capabilty c,e
ProcessQ
UserU
ProcessR
JohnMitchell
Delegation
Cap:Processcanpasscapabilityatruntime
ACL:Trytogetownertoaddpermissiontolist?
Morecommon:letotherprocessactundercurrentuser
Revocation
ACL:Removeuserorgroupfromlist
Cap:Trytogetcapabilitybackfromprocess?
Possibleinsomesystemsifappropriatebookkeeping
Capabilty c
ProcessR
OSknowswhichdataiscapability
Ifcapabilityisusedformultipleresources,havetorevokeallornone
Indirection:capabilitypointstopointertoresource
IfC P R,thenrevokecapabilityCbysettingP=0
JohnMitchell
Roles(alsocalledGroups)
JohnMitchell
RoleBasedAccessControl
Role=setofusers
Administrator,PowerUser,User,Guest
Assignpermissionstoroles;eachusergetspermission
Rolehierarchy
Partialorderofroles
Administrator
Eachrolegets
PowerUser
permissionsofrolesbelow
Listonlynewpermissions
User
giventoeachrole
Individuals
Roles
Resources
engineering
Server1
marketing
Server2
humanres
Guest
Server3
Advantage:userschangemorefrequentlythanroles
JohnMitchell
JohnMitchell
4/18/2013
Unixaccesscontrol
SecureArchitecture
Principles
User 1
OperatingSystems
Processhasuserid
User 2
Inheritfromcreatingprocess
User 3
Processcanchangeid
Restrictedsetofoptions
User m
Specialrootid
Bypassaccesscontrolrestrictions
Filehasaccesscontrollist(ACL)
Grantspermissiontouserids
Owner,group,other
File 1
File 2
read
write
write
write
read
Read
write
write
JohnMitchell
JohnMitchell
Unixfileaccesscontrollist
Question
Ownercanhavefewerprivilegesthanother
Whathappens?
Ownergetsaccess?
Ownerdoesnot?
Eachfilehasownerandgroup
Permissionssetbyowner
setid
Read,write,execute
rwx rwx rwx
Owner,group,other
ownr grp othr
Representedbyvectorof
fouroctalvalues
Onlyowner,rootcanchangepermissions
Thisprivilegecannotbedelegatedorshared
Setid bits Discussinafewslides
Prioritizedresolutionofdifferences
ifuser=ownerthenownerpermission
elseifuseringroupthengrouppermission
elseotherpermission
JohnMitchell
JohnMitchell
Processeffectiveuserid(EUID)
ProcessOperationsandIDs
Root
EachprocesshasthreeIds(+moreunderLinux)
RealuserID(RUID)
sameastheuserIDofparent(unlesschanged)
usedtodeterminewhichuserstartedtheprocess
EffectiveuserID(EUID)
fromsetuserIDbitonthefilebeingexecuted,orsyscall
determinesthepermissionsforprocess
ID=0forsuperuser root;canaccessanyfile
ForkandExec
InheritthreeIDs,exceptexecoffilewithsetuid bit
Setuid systemcalls
seteuid(newid)cansetEUIDto
RealIDorsavedID,regardlessofcurrentEUID
AnyID,ifEUID=0
fileaccessandportbinding
SaveduserID(SUID)
SopreviousEUIDcanberestored
Detailsareactuallymorecomplicated
RealgroupID,effectivegroupID,usedsimilarly
Severaldifferentcalls:setuid,seteuid,setreuid
JohnMitchell
JohnMitchell
4/18/2013
SetidbitsonexecutableUnixfile
Example
Threesetidbits
Setuid setEUIDofprocesstoIDoffileowner
Setgid setEGIDofprocesstoGIDoffile
Sticky
Off:ifuserhaswritepermissionondirectory,can
renameorremovefiles,evenifnotowner
On:onlyfileowner,directoryowner,androotcan
renameorremovefileinthedirectory
Owner18
SetUID
RUID25
;
;
exec();
program
Owner18
rwrr
file
read/write ;
Owner25
rwrr
file
i=getruid()
setuid(i);
read/write ;
;
RUID25
EUID18
RUID25
EUID25
JohnMitchell
Setuidprogramming
JohnMitchell
Unixsummary
BeCarefulwithSetuid 0!
Rootcandoanything;dontgettricked
Principleofleastprivilege changeEUIDwhenroot
privilegesnolongerneeded
Goodthings
Someprotectionfrommostusers
Flexibleenoughtomakethingspossible
Mainlimitation
Tootemptingtouserootprivileges
Nowaytoassumesomerootprivilegeswithoutallroot
privileges
JohnMitchell
AccesscontrolinWindows
JohnMitchell
IdentifysubjectusingSID
SomebasicfunctionalitysimilartoUnix
Specifyaccessforgroupsandusers
SecurityID(SID)
Identity(replacesUID)
SIDrevisionnumber
48bitauthorityvalue
variablenumberof
RelativeIdentifiers
(RIDs),foruniqueness
Users,groups,computers,
domains,domainmembers
allhaveSIDs
Read,modify,changeowner,delete
Someadditionalconcepts
Tokens
Securityattributes
Generally
MoreflexiblethanUnix
Candefinenewpermissions
Cangivesomebutnotalladministratorprivileges
JohnMitchell
JohnMitchell
4/18/2013
Processhassetoftokens
Objecthassecuritydescriptor
Securitycontext
Privileges,accounts,andgroupsassociatedwiththe
processorthread
Presentedassetoftokens
SecurityReferenceMonitor
Usestokenstoidentifythesecuritycontextofaprocessor
thread
Impersonationtoken
Usedtemporarilytoadoptadifferentsecuritycontext,
usuallyofanotheruser
Securitydescriptorassociatedwithanobject
Specifieswhocanperformwhatactionsontheobject
Severalfields
Header
Descriptorrevisionnumber
Controlflags,attributesofthedescriptor
E.g.,memorylayoutofthedescriptor
SIDoftheobject'sowner
SIDoftheprimarygroupoftheobject
Twoattachedoptionallists:
DiscretionaryAccessControlList(DACL) users,groups,
SystemAccessControlList(SACL) systemlogs,..
JohnMitchell
JohnMitchell
Exampleaccessrequest
ImpersonationTokens(comparetosetuid)
Accesstoken
User:Mark
Group1:Administrators
Group2:Writers
Security
descriptor
RevisionNumber
Controlflags
OwnerSID
GroupSID
DACLPointer
SACLPointer
Deny
Writers
Read,Write
Allow
Mark
Read,Write
Processadoptssecurityattributesofanother
Clientpassesimpersonationtokentoserver
Clientspecifiesimpersonationlevelofserver
Anonymous
Tokenhasnoinformationabouttheclient
Identification
serverobtaintheSIDsofclientandclient'sprivileges,but
servercannotimpersonatetheclient
Impersonation
serveridentifyandimpersonatetheclient
Delegation
letsserverimpersonateclientonlocal,remotesystems
Accessrequest:write
Action:denied
User Mark requests write permission
Descriptor denies permission to group
Reference Monitor denies request
(DACL for access, SACL for audit and logging)
Priority:
ExplicitDeny
ExplicitAllow
InheritedDeny
InheritedAllow
JohnMitchell
JohnMitchell
Webbrowser:ananalogy
Operatingsystem
SecureArchitecture
Principles
Subject:Processes
Webbrowser
HasUserID(UID,SID)
Discretionaryaccesscontrol
BrowserIsolation
andLeastPrivilege
Objects
HasOrigin
Mandatoryaccesscontrol
File
Network
Vulnerabilities
Untrustedprograms
Bufferoverflow
Subject:webcontent(JavaScript)
Objects
Documentobjectmodel
Frames
Cookies/localStorage
Vulnerabilities
Crosssitescripting
Implementationbugs
Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowser
implementationiscorrupted,thismechanismbecomesunreliable.
JohnMitchell
JohnMitchell
4/18/2013
Componentsofsecuritypolicy
ChromiumSecurityArchitecture
FrameFramerelationships
canScript(A,B)
CanFrameAexecuteascriptthatmanipulates
arbitrary/nontrivialDOMelementsofFrameB?
canNavigate(A,B)
CanFrameAchangetheoriginofcontentforFrameB?
Frameprincipalrelationships
readCookie(A,S),writeCookie(A,S)
CanFrameAread/writecookiesfromsiteS?
Browser("kernel")
Fullprivileges(filesystem,
networking)
Renderingengine
Upto20processes
Sandboxed
Oneprocessperplugin
Fullprivileges ofbrowser
JohnMitchell
JohnMitchell
Chromium
DesignDecisions
Compatibility
Sitesrelyontheexistingbrowsersecuritypolicy
Browserisonlyasusefulasthesitesitcanrender
Rulesoutmorecleanslateapproaches
BlackBox
OnlyrenderermayparseHTML,JavaScript,etc.
Kernelenforcescoarsegrainedsecuritypolicy
Renderertoenforcesfinergrainedpolicydecisions
MinimizeUserDecisions
Communicatingsandboxed
components
See:http://dev.chromium.org/developers/designdocuments/sandbox/
JohnMitchell
JohnMitchell
TaskAllocation
LeverageOSIsolation
SandboxbasedonfourOSmechanisms
Arestrictedtoken
TheWindows job object
TheWindows desktop object
WindowsVistaonly:integritylevels
Specifically,therenderingengine
adjustssecuritytokenbyconvertingSIDStoDENY_ONLY,adding
restrictedSID,andcallingAdjustTokenPrivileges
runsinaWindowsJobObject,restrictingabilitytocreatenew
processes,readorwriteclipboard,..
runsonaseparatedesktop,mitigatinglaxsecuritycheckingofsome
WindowsAPIs
JohnMitchell
See:http://dev.chromium.org/developers/designdocuments/sandbox/
JohnMitchell
4/18/2013
Evaluation:CVEcount
Summary
TotalCVEs:
Arbitrarycodeexecutionvulnerabilities:
JohnMitchell
Securityprinciples
Isolation
PrincipleofLeastPrivilege
Qmail example
AccessControlConcepts
Matrix,ACL,Capabilities
OSMechanisms
Unix
Filesystem,Setuid
Windows
Filesystem,Tokens,EFS
Browsersecurityarchitecture
Isolationandleastprivilegeexample
JohnMitchell
10