4/18/2013

PrinciplesofSecureDesign
Compartmentalization
Isolation
Principleofleastprivilege
Defenseindepth
Usemorethanonesecuritymechanism
Securetheweakestlink
Failsecurely
Keepitsimple

SecureArchitecture
Principles

Isolationand
LeastPrivilege
JohnMitchell

JohnMitchell

Monolithicdesign
Network
Userinput

System

Filesystem

Monolithicdesign
Network

Network

Userdevice

Userinput

Filesystem

Filesystem

Network

System

Userdevice
Filesystem

JohnMitchell

JohnMitchell

Monolithicdesign
Network
Userinput
Filesystem

System

Componentdesign
Network

Network

Network

Userdisplay

Userinput

Userdisplay

Filesystem

Filesystem

Filesystem

JohnMitchell

JohnMitchell

4/18/2013

Componentdesign

Componentdesign

Network

Network

Network

Network

Userinput

Userdevice

Userinput

Userdevice

Filesystem

Filesystem

Filesystem

Filesystem

JohnMitchell

PrincipleofLeastPrivilege

JohnMitchell

Example:MailAgent

Whatsaprivilege?
Abilitytoaccessormodifyaresource
Assumecompartmentalizationandisolation
Separatethesystemintoindependentmodules
Limitinteractionbetweenmodules
PrincipleofLeastPrivilege
Asystemmodule shouldonlyhavetheminimal
privileges neededforitsintendedpurposes

Requirements
Receiveandsendemailoverexternalnetwork
Placeincomingemailintolocaluserinboxfiles
Sendmail
TraditionalUnix
Monolithicdesign
Historicalsourceofmanyvulnerabilities
Qmail
Comparmentalized design
JohnMitchell

JohnMitchell

Qmail design

Structureofqmail

IsolationbasedonOSisolation
Separatemodulesrunasseparateusers
Eachuseronlyhasaccesstospecificresources
Leastprivilege
Onlyonesetuidprogram
setuid allowsaprogramtorunasdifferentusers
Onlyonerootprogram
rootprogramhasallprivileges

qmailsmtpd

qmailinject
qmailqueue

Incoming internal mail

Incoming external mail

qmailsend

JohnMitchell

qmailrspawn

qmaillspawn

qmailremote

qmaillocal
JohnMitchell

4/18/2013

IsolationbyUnixUIDs

Structureofqmail

qmailq user who is allowed to read/write mail queue

qmaild

qmailq

qmailsmtpd

qmailinject

user
qmailsmtpd

qmailqueue

qmailinject

Readsincomingmaildirectories
Splitsmessageintoheader,body
Signalsqmailsend

qmailsend
qmailr
qmailrspawn

qmailsend

qmails

qmaillspawn
setuid user

qmailr
qmailremote

qmailqueue

root

qmailrspawn

qmaillspawn

qmailremote

qmaillocal

user

qmaillocal
JohnMitchell

JohnMitchell

Structureofqmail
qmailsmtpd

Structureofqmail

qmailinject

qmailsendsignals
qmaillspawn iflocal
qmailremoteifremote

qmailsmtpd

qmailinject

qmailqueue

qmailqueue

qmailsend

qmailsend

qmailrspawn

qmaillspawn

qmailremote

qmaillocal

qmaillspawn
Spawnsqmaillocal
qmaillocalrunswithIDofuser
receivinglocalmail

qmaillspawn

qmaillocal

JohnMitchell

JohnMitchell

Structureofqmail
qmailsmtpd

Structureofqmail

qmailinject

qmailsmtpd

qmailinject

qmailqueue

qmailqueue

qmailsend

qmailsend

qmaillocal
Handlesaliasexpansion
Deliverslocalmail
Callsqmailqueueifneeded

qmaillspawn

qmailrspawn

qmaillocal

qmailremote
JohnMitchell

qmailremote
DeliversmessagetoremoteMTA
JohnMitchell

4/18/2013

IsolationbyUnixUIDs

Leastprivilege

qmailq user who is allowed to read/write mail queue

qmaild

qmailq

qmailsmtpd

qmailinject

user
qmailsmtpd

qmailqueue

setuid

qmailinject

setuid

qmailqueue

qmailsend
qmailr

qmailsend

qmails

qmailrspawn

qmaillspawn
setuid user

qmailr
qmailremote

root root

qmailrspawn

qmaillspawn

qmailremote

qmaillocal

root

user

qmaillocal
JohnMitchell

JohnMitchell

Androidprocessisolation
SecureArchitecture
Principles

Androidapplicationsandbox
Isolation:EachapplicationrunswithitsownUIDinownVM
Providesmemoryprotection
CommunicationprotectedusingUnixdomainsockets
Onlyping,zygote(spawnanotherprocess)runasroot
Interaction:referencemonitorcheckspermissionsoninter
componentcommunication
LeastPrivilege:Applicationsannouncespermission
Usergrantsaccessatinstalltime

AccessControl
Concepts
JohnMitchell

Accesscontrol

JohnMitchell

Accesscontrolmatrix[Lampson]
Objects

Assumptions
Systemknowswhotheuseris

File 1

File 2

File 3

User 1

read

write

read

User 2

write

write

write

User 3

read

read

read

write

read

write

read

Authenticationvianameandpassword,othercredential

Accessrequestspassthroughgatekeeper(referencemonitor)
Systemmustnotallowmonitortobebypassed

User
process

Reference
monitor
accessrequest

Subjects

Resource

File n

User m

policy
JohnMitchell

JohnMitchell

4/18/2013

Twoimplementationconcepts
File 1

Accesscontrollist(ACL)
User 1
read
Storecolumnofmatrix
User 2
write
withtheresource
User 3
Capability
Userholdsaticketfor

eachresource
User m
Read
Twovariations
storerowofmatrixwithuser,underOScontrol
unforgeable ticketinuserspace

File 2

ACLvsCapabilities

write

write

read

write

write

Accesscontrollistsarewidelyused,oftenwithgroups
Someaspectsofcapabilityconceptareusedinmanysystems

JohnMitchell

Accesscontrollist
Associatelistwitheachobject
Checkuser/groupagainstlist
Reliesonauthentication:needtoknowuser
Capabilities
Capabilityisunforgeableticket
Randombitsequence,ormanagedbyOS
Canbepassedfromoneprocesstoanother
Referencemonitorchecksticket
Doesnotneedtoknowidentifyofuser/process

ACLvsCapabilities

ACLvsCapabilities

UserU

Capabilty c,d,e
ProcessP

ProcessP
UserU
ProcessQ

Capabilty c,e
ProcessQ

UserU
ProcessR

JohnMitchell

Delegation
Cap:Processcanpasscapabilityatruntime
ACL:Trytogetownertoaddpermissiontolist?
Morecommon:letotherprocessactundercurrentuser
Revocation
ACL:Removeuserorgroupfromlist
Cap:Trytogetcapabilitybackfromprocess?
Possibleinsomesystemsifappropriatebookkeeping

Capabilty c
ProcessR

OSknowswhichdataiscapability
Ifcapabilityisusedformultipleresources,havetorevokeallornone

Indirection:capabilitypointstopointertoresource
IfC P R,thenrevokecapabilityCbysettingP=0
JohnMitchell

Roles(alsocalledGroups)

JohnMitchell

RoleBasedAccessControl

Role=setofusers
Administrator,PowerUser,User,Guest
Assignpermissionstoroles;eachusergetspermission
Rolehierarchy
Partialorderofroles
Administrator
Eachrolegets
PowerUser
permissionsofrolesbelow
Listonlynewpermissions
User
giventoeachrole

Individuals

Roles

Resources

engineering

Server1

marketing

Server2

humanres

Guest

Server3

Advantage:userschangemorefrequentlythanroles
JohnMitchell

JohnMitchell

4/18/2013

Unixaccesscontrol
SecureArchitecture
Principles

User 1

OperatingSystems

Processhasuserid
User 2
Inheritfromcreatingprocess
User 3
Processcanchangeid

Restrictedsetofoptions
User m
Specialrootid
Bypassaccesscontrolrestrictions
Filehasaccesscontrollist(ACL)
Grantspermissiontouserids
Owner,group,other

File 1

File 2

read

write

write

write

read

Read

write

write

JohnMitchell

JohnMitchell

Unixfileaccesscontrollist

Question
Ownercanhavefewerprivilegesthanother
Whathappens?
Ownergetsaccess?
Ownerdoesnot?

Eachfilehasownerandgroup
Permissionssetbyowner
setid
Read,write,execute
rwx rwx rwx
Owner,group,other
ownr grp othr
Representedbyvectorof
fouroctalvalues
Onlyowner,rootcanchangepermissions
Thisprivilegecannotbedelegatedorshared
Setid bits Discussinafewslides

Prioritizedresolutionofdifferences
ifuser=ownerthenownerpermission
elseifuseringroupthengrouppermission
elseotherpermission

JohnMitchell

JohnMitchell

Processeffectiveuserid(EUID)

ProcessOperationsandIDs
Root

EachprocesshasthreeIds(+moreunderLinux)
RealuserID(RUID)
sameastheuserIDofparent(unlesschanged)
usedtodeterminewhichuserstartedtheprocess
EffectiveuserID(EUID)
fromsetuserIDbitonthefilebeingexecuted,orsyscall
determinesthepermissionsforprocess

ID=0forsuperuser root;canaccessanyfile

ForkandExec
InheritthreeIDs,exceptexecoffilewithsetuid bit

Setuid systemcalls
seteuid(newid)cansetEUIDto
RealIDorsavedID,regardlessofcurrentEUID
AnyID,ifEUID=0

fileaccessandportbinding
SaveduserID(SUID)

SopreviousEUIDcanberestored

Detailsareactuallymorecomplicated

RealgroupID,effectivegroupID,usedsimilarly

Severaldifferentcalls:setuid,seteuid,setreuid
JohnMitchell

JohnMitchell

4/18/2013

SetidbitsonexecutableUnixfile

Example

Threesetidbits
Setuid setEUIDofprocesstoIDoffileowner
Setgid setEGIDofprocesstoGIDoffile
Sticky
Off:ifuserhaswritepermissionondirectory,can
renameorremovefiles,evenifnotowner
On:onlyfileowner,directoryowner,androotcan
renameorremovefileinthedirectory

Owner18
SetUID

RUID25
;
;
exec();

program
Owner18
rwrr
file

read/write ;

Owner25
rwrr
file

i=getruid()
setuid(i);
read/write ;
;

RUID25
EUID18
RUID25
EUID25

JohnMitchell

Setuidprogramming

JohnMitchell

Unixsummary

BeCarefulwithSetuid 0!
Rootcandoanything;dontgettricked
Principleofleastprivilege changeEUIDwhenroot
privilegesnolongerneeded

Goodthings
Someprotectionfrommostusers
Flexibleenoughtomakethingspossible
Mainlimitation
Tootemptingtouserootprivileges
Nowaytoassumesomerootprivilegeswithoutallroot
privileges

JohnMitchell

AccesscontrolinWindows

JohnMitchell

IdentifysubjectusingSID

SomebasicfunctionalitysimilartoUnix
Specifyaccessforgroupsandusers

SecurityID(SID)
Identity(replacesUID)
SIDrevisionnumber
48bitauthorityvalue
variablenumberof
RelativeIdentifiers
(RIDs),foruniqueness
Users,groups,computers,
domains,domainmembers
allhaveSIDs

Read,modify,changeowner,delete

Someadditionalconcepts
Tokens
Securityattributes
Generally
MoreflexiblethanUnix
Candefinenewpermissions
Cangivesomebutnotalladministratorprivileges
JohnMitchell

JohnMitchell

4/18/2013

Processhassetoftokens

Objecthassecuritydescriptor

Securitycontext
Privileges,accounts,andgroupsassociatedwiththe
processorthread
Presentedassetoftokens
SecurityReferenceMonitor
Usestokenstoidentifythesecuritycontextofaprocessor
thread
Impersonationtoken
Usedtemporarilytoadoptadifferentsecuritycontext,
usuallyofanotheruser

Securitydescriptorassociatedwithanobject
Specifieswhocanperformwhatactionsontheobject
Severalfields
Header
Descriptorrevisionnumber
Controlflags,attributesofthedescriptor
E.g.,memorylayoutofthedescriptor

SIDoftheobject'sowner
SIDoftheprimarygroupoftheobject
Twoattachedoptionallists:
DiscretionaryAccessControlList(DACL) users,groups,
SystemAccessControlList(SACL) systemlogs,..

JohnMitchell

JohnMitchell

Exampleaccessrequest

ImpersonationTokens(comparetosetuid)

Accesstoken

User:Mark
Group1:Administrators
Group2:Writers

Security
descriptor

RevisionNumber
Controlflags
OwnerSID
GroupSID
DACLPointer
SACLPointer
Deny
Writers
Read,Write
Allow
Mark
Read,Write

Processadoptssecurityattributesofanother
Clientpassesimpersonationtokentoserver
Clientspecifiesimpersonationlevelofserver
Anonymous
Tokenhasnoinformationabouttheclient
Identification
serverobtaintheSIDsofclientandclient'sprivileges,but
servercannotimpersonatetheclient
Impersonation
serveridentifyandimpersonatetheclient
Delegation
letsserverimpersonateclientonlocal,remotesystems

Accessrequest:write
Action:denied
User Mark requests write permission
Descriptor denies permission to group
Reference Monitor denies request
(DACL for access, SACL for audit and logging)

Priority:
ExplicitDeny
ExplicitAllow
InheritedDeny
InheritedAllow
JohnMitchell

JohnMitchell

Webbrowser:ananalogy
Operatingsystem

SecureArchitecture
Principles

Subject:Processes

Webbrowser

HasUserID(UID,SID)
Discretionaryaccesscontrol

BrowserIsolation
andLeastPrivilege

Objects

HasOrigin
Mandatoryaccesscontrol

File
Network

Vulnerabilities
Untrustedprograms
Bufferoverflow

Subject:webcontent(JavaScript)
Objects
Documentobjectmodel
Frames
Cookies/localStorage

Vulnerabilities
Crosssitescripting
Implementationbugs

Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowser
implementationiscorrupted,thismechanismbecomesunreliable.
JohnMitchell

JohnMitchell

4/18/2013

Componentsofsecuritypolicy

ChromiumSecurityArchitecture

FrameFramerelationships
canScript(A,B)
CanFrameAexecuteascriptthatmanipulates
arbitrary/nontrivialDOMelementsofFrameB?
canNavigate(A,B)
CanFrameAchangetheoriginofcontentforFrameB?
Frameprincipalrelationships
readCookie(A,S),writeCookie(A,S)
CanFrameAread/writecookiesfromsiteS?

Browser("kernel")
Fullprivileges(filesystem,
networking)
Renderingengine
Upto20processes
Sandboxed
Oneprocessperplugin
Fullprivileges ofbrowser

JohnMitchell

JohnMitchell

Chromium

DesignDecisions
Compatibility
Sitesrelyontheexistingbrowsersecuritypolicy
Browserisonlyasusefulasthesitesitcanrender
Rulesoutmorecleanslateapproaches
BlackBox
OnlyrenderermayparseHTML,JavaScript,etc.
Kernelenforcescoarsegrainedsecuritypolicy
Renderertoenforcesfinergrainedpolicydecisions
MinimizeUserDecisions

Communicatingsandboxed
components

See:http://dev.chromium.org/developers/designdocuments/sandbox/

JohnMitchell

JohnMitchell

TaskAllocation

LeverageOSIsolation
SandboxbasedonfourOSmechanisms

Arestrictedtoken
TheWindows job object
TheWindows desktop object
WindowsVistaonly:integritylevels

Specifically,therenderingengine
adjustssecuritytokenbyconvertingSIDStoDENY_ONLY,adding
restrictedSID,andcallingAdjustTokenPrivileges
runsinaWindowsJobObject,restrictingabilitytocreatenew
processes,readorwriteclipboard,..
runsonaseparatedesktop,mitigatinglaxsecuritycheckingofsome
WindowsAPIs
JohnMitchell

See:http://dev.chromium.org/developers/designdocuments/sandbox/

JohnMitchell

4/18/2013

Evaluation:CVEcount

Summary

TotalCVEs:

Arbitrarycodeexecutionvulnerabilities:

JohnMitchell

Securityprinciples
Isolation
PrincipleofLeastPrivilege
Qmail example
AccessControlConcepts
Matrix,ACL,Capabilities
OSMechanisms
Unix
Filesystem,Setuid
Windows
Filesystem,Tokens,EFS
Browsersecurityarchitecture
Isolationandleastprivilegeexample
JohnMitchell

10