Security at the Operating System Level (Microsoft)

By Birinder Dhillon

Outline

Why need security at the OS level? Security features/concerns of Microsoft Windows NT. Security provided by Microsoft Windows 2000. Next Generation Secure Computing Base for Windows by Microsoft . Conclusion. Questions/Comments.

Why need security at the OS level?

No more standalone computer system environments. Any system can be globally accessible through a set of vast inter and intra-network connections. Transition motivated by the need to work remotely, convenience in accessing personal records, online shopping etc.

Why need security at the OS level? (contd.)

Convenience and efficiency with increased security risks. Trust computers more than our life partners. A single security loophole in the OS design known to a malicious attacker could do serious damage.

Security Model of Microsoft Windows NT

Access Tokens: Evidence that the a user successfully logged-in. Security Descriptors: Represent access rights of a logged-in user. Object Manager: Reads the security descriptors and passes on the information to the Security Reference Monitor (SRM). SRM determines whether a users action is legal or illegal.

Security features of Microsoft Windows NT

NTFS - Allows system administrators to set global or very specific file access permissions. - Sets up a virtual root directory to prevent network users from accessing higher nodes in the system.

Security features of Microsoft Windows NT (contd.)

Minimum password length and frequent password change requirements. Multiple levels of privilege, unlike UNIX. Challenge-response scheme for authentication purposes during user log-on attempt. Auditing.

Loopholes in Microsoft Windows NT Security Model

Assumes a logged-in user is a legal user. Networking environment uses some old outof-date protocols (such as NetBEUI, DLC). Use of non-standard implementations of security protocols. For example, Microsoft's implementation of PPTP. Obvious relationships between clear text passwords and hash values. Tools like l0phtcrack can exploit this vulnerability.

Security features of Microsoft Windows 2000

Technology based on Windows NT. Designed to address the security loopholes of Windows NT. New Security features included with Windows 2000: Active Directory, ACLs for both the users and resources, Encrypting File System, Kerberos, Internet Protocol Security (IPSec), PKI.

Kerberos

Windows 2000 replaces the NT LAN Manager with Kerberos version 5. Network authentication protocol. Involves the participation of two principals and a trusted third party called Key Distribution Center (KDC). Uses symmetric key encryption. KDC provides the shared key for each session.

Kerberos (contd.)

Scenario 1: A principle is trying to log-on to his/her workstation.

Scenario 2: A principle wants to communicate with another principle.

Kerberos (contd.) Scenario 1

The following sequence of events occur: Alice W : P, U W KDC : U KDC W : { SA, { SA, U, TS} KKDC } KA
Session key for communication between Alices workstation and KDC Ticket-Granting Ticket (TGT)

W computes KA = hash (P) and decrypts {SA, {SA, U, TS} KKDC } KA

Kerberos (contd.) Scenario 2

The following sequence of events occur: Alice KDC : {TGT}KKDC, Bob, {TS} SA KDC decrypts TGT and obtains SA KDC decrypts TS using SA
KDC Alice : {Alice, Bob, TS1, KAB, {Alice, Bob, TC, TE, KAB} KB} SA

Alice Bob : {Alice, Bob, TC, TE, KAB} KB, {TS2} KAB Bob decrypts his ticket using KB to obtain KAB Bob decrypts the authenticator using KAB

Encrypting File System (EFS)

EFS is integrated with NTFS version 5. Allows Windows 2000 users to encrypt their files and folders. Encrypting a folder encrypts all the subfolders and files in that folder. Cannot be used to encrypt system files. A user needs to know the key to decrypt a file, log-in password not enough.

EFS (contd.)

Uses Public Key Encryption. Initial version uses DES as the encryption algorithm. Randomly generated File Encryption Key (FEK) used for encryption. Users/Recovery Agents encrypt the FEK using their public key and decrypt using their private key.

EFS (contd.) File Encryption Process

The following diagram illustrates the file encryption process:

Plain text File Encryption (DES) Encrypted Text

Users Public Key

Data Decryption Field generation (DDF)

DDF

Randomly generated FEK

Data Recovery Field generation (DRF)

DRF

Recovery Agents Public Key

EFS (contd.) File Decryption Process

The following diagram illustrates the decryption process:

Encrypted Text File Decryption (DES) FEK Plain Text

Users Private Key

Data Decryption Field Extraction

DDF

EFS (contd.) File Recovery Process

The following diagram illustrates the file recovery process:

Encrypted Text File Decryption (DES) Plain Text

FEK

Recovery Agents private key

Data Recovery Field Extraction

DRF

Public Key Infrastructure (PKI)

Primary components of Windows 2000 PKI are:

Certificate Services: Businesses act as their own Certificate Authorities (CAs). Active Directory directory service: Store information about the network and used to publish keys. PKI enabled applications. Exchange Key Management Service (KMS): Used to manage email encryption keys.

PKI (contd.)

Includes typical components of a PKI: CA, and Sub-CA. Certificates are compliant with ITU-TX.508 standard. Supports standard security protocols like IPSec, PKINIT, PC/SC etc. Enhances interoperability. Users now have the capability of mixing public and private CAs in their environment.

Next Generation Secure Computing Base for Windows

New set of features for a future operating system previously codenamed Palladium Promises to provide greater security, enhanced personal privacy, and system integrity. Applications that would make use of Palladiums security features are codenamed Trusted Agents.

Next Generation Secure Computing Base for Windows (contd.)

Palladium enabled systems would offer the following security features:

Protected Memory: Hide and protect the pages of main memory being used by a Trusted Agent. Attestation: Data signed by a Trusted Agent to prove its authenticity. Sealed Storage: The ability of a Trusted Agent to store data securely. Secure input and output: Guarantee a trusted path from the input devices to a Trusted Agent and from a Trusted Agent to the output devices.

Next Generation Secure Computing Base for Windows (contd.)

Palladium requires both hardware and software support to implement the security features. Hardware Support

To provide trusted space in memory. To implement the sealed storage security feature. Intel has already scheduled the release of its Prescott processor enabled with Le-Grande technology to provide hardware support.

Next Generation Secure Computing Base for Windows (contd.)

Software Support

Nexus (formerly codenamed Trusted Operating Root)

Technology to be used by the OS to provide trust functionality. Executes in Kernel mode alongside Trusted Agents that execute in user mode. Provides the APIs that the Trusted Agents can use to communicate with Nexus.

Next Generation Secure Computing Base for Windows (contd.)

Software Support (contd.)

Trusted Agents

User applications that can make use of Palladiums security features. Execute in the user mode in trusted space. Call Nexus when need to make use of some security feature. Able to store secrets using sealed storage and authenticate themselves using attestation.

Next Generation Secure Computing Base for Windows (contd.)

Examples

Protection against virus attacks

Still need anti-virus software to catch a virus If the anti-virus software is a Trusted Agent, then Palladium makes sure it executes in secure environment and infected code doesnt affect it. Files encrypted using system specific secrets cryptographically locked into hardware. Files useless if maliciously copied or tampered with.

File encryption

Conclusion

High security promises prompt consumers to store important and private data carelessly. No matter how high OS security promises are, someones always out there to break them. An example is the Code-Red worm that hammered the Windows 2000 users by manipulating a loophole in IIS 4.0 and 5.0.

Questions/Comments