Matthew's Notes

Search

SearchSearch

OS Security

Feb 20, 2025, 5 min read

I missed some stuff OS Overview Operating Systems - CS 354 These could both be useful

Multiuser and Multiprocess system

  • Security Threats
    • User authentication (keep malicious users out)
      • Typically done with usernames/passwords
    • Access to resources
      • Files, memory, compute time
    • Protect users form each other and OS TCB (Trusted Compute Base) (kernel and system processes) from users

Modern Operating System

  • Operating system kernel
  • Many processes, each running a program
  • Files

Kernel Space vs User Space

  • Part of the OS runs in kernel mode
    • Known as the OS kernel
  • Other parts of the OS run in the user mode, including service programs (daemon program), user applications, etc.
    • Run as processes
    • From the user space (or the user land)
  • There is a difference between kernel mode ans “root” user/processes running as root
    • Running as root just means you’re running as admin/super user
    • Processes only use kernel mode when making system calls or accessing hardware
    • Root is just another user, albeit one with all the privileges

Processes

  • Each process has its own address space
  • Each process has a PID
  • Each process has a “protection state” and set of operations to modify this state
    • UID, GID, supplementary groups
    • Protection state determines which files users may create/read/write
    • Child processes inherit their parent’s permissions

Files

  • Represent both real files and devices such as I/O devices, network and IPC, etc.
  • Have an owner UID and owner GID
  • Owner can modify any aspects of the file
    • chmod a+r
    • rwrx-x-wx = 111|101|011 = 753

setuid

  • A way to let a process run as the user who owns the file/program rather than as the user who starts it
  • Changing the user id of a running process
  • Special access bits attached to application programs that allow them to run as the UID of the file’s owner
  • Ex. sshd runs as root, ping runs as root (regardless of who starts the application)
  • Example
    • ls -l /bin/passwd
    • -rwsr-xr-x. 1 root root 278768 ... ... /bin/passwd
  • The process runs as root even though a regular user invokes it
  • All the vulnerabilities in Project 1 run as root, so when we get the vulnerability to run a shell it opens the shell as root, since the process is running as root

So how does an OS break?

  • Vulnerabilities in high privilege network facing daemons
  • Bad passwords, sending passwords in the clear (telnet/ftp)
  • Kernel vulnerabilities
  • Device driver vulnerabilities
  • Side channels (Rowhammer!)
    • exploiting leakages of information in the system
    • Rowhammer exploits the physics of memory by hitting one area of memory really hard causing the voltages to flip in other parts of memory
      • This is being protected for more, but older memory doesn’t always have those protections!

The Protection Rings (of privilege)

  • Ring 0 - Kernel
  • Rings 1 & 2 - Device drivers (rarely used)
  • Ring 3 - Applications

Trusted Computing Base (TCB)

  • The set of all hardware, software and procedural components that enforce te security policy on a system
    • In order to break security, an attacker must subvert one or more of them
    • The smaller the TCB the more secure a system is
  • What consists of the conceptual Trusted Computing Base in a Unix/Linux system?
    • Hardware, kernel, system binaries, system config files, setuid root programs, etc.
  • One approach to improve security is to reduce the size of TCB, i.e., reduce what one relies on for security

TPM (Trusted Platform Module)

  • Secure cryptoprocessor - dedicated microcontroller designed to secure hardware through integrated cryptographic keys
  • Hold private keys for attestation
    • Platform key
    • Type key
  • Other key storage
    • For storage management (BitLocker)
  • Key generation
  • SHA-1
  • Public key, HMAC

Attestation

  • Allows a program to authenticate itself/prove its identity
  • Attestation of boot
    • Allows your system to securely boot into a defined and trusted state
    • Generate rolling SHA-1 of binaries loaded into memory and provide as a signed value
  • Attestation of platform
    • Provide signed boot sequence + signed nonce with platform/type key

Trusted Execution Environments (TEE)

  • What happens if the OS or host is malicious? Not all computing devices are trustworthy!
  • Trusted Execution Environments (TEE) protect the integrity and confidentiality of applications
  • Leverage dedicated hardware
  • Enable the execution of security-sensitive applications inside protected domains isolated from the platform’s operating system
  • Examples: ARM TrustZone, Intel SGX, AMD SEV
  • Use cases include secure remote computation, concealing encryption keys, DRM, and many others

Sandboxing

  • Mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading
  • Frequently used to test unverified programs
  • Provides (strong) isolation for execution
  • “nobody” user
    • User account which owns no files, in no privileged groups, and has no abilities except those which every other user has
    • Common to run daemons as nobody, especially servers, in order to limit the damage that could be done by a malicious user who gained control of them
    • Limitations?
  • chroot
    • Changes the apparent root directory for the current running process and its children
    • The program that is run in such an environment cannot name (and therefore normally cannot access) files outside the designated directory tree
  • Virtualization
    • Allows the existence of multiple isolated user-space instances, called containers
    • Programs running inside a container can only see the container’s contents and devices assigned to the container
    • Operating system virtualization vs hardware virtualization

Graph View

Backlinks