Typical Operating System Flaws
Periodically
throughout our analysis of operating system security features, we have used the
phrase "exploit a vulnerability." Throughout the years, many
vulnerabilities have been uncovered in many operating systems. They have
gradually been corrected, and the body of knowledge about likely weak spots has
grown.
Known Vulnerabilities
In this
section, we discuss typical vulnerabilities that have been uncovered in
operating systems. Our goal is not to provide a "how-to" guide for
potential penetrators of operating systems. Rather, we study these flaws to
understand the careful analysis necessary in designing and testing operating
systems. User interaction is the largest single source of operating system
vulnerabilities, for several reasons:
The user interface is
performed by independent, intelligent hardware subsystems. The humancomputer
interface often falls outside the security kernel or security restrictions
implemented by an operating system.
Code to interact with users
is often much more complex and much more dependent on the specific device
hardware than code for any other component of the computing system. For these
reasons, it is harder to review this code for correctness, let alone to verify
it formally.
User interactions are often
character oriented. Again, in the interest of fast data transfer, the operating
systems designers may have tried to take shortcuts by limiting the number of
instructions executed by the operating system during actual data transfer.
Sometimes the instructions eliminated are those that enforce security policies
as each character is transferred.
A second
prominent weakness in operating system security reflects an ambiguity in access
policy. On one hand, we want to separate users and protect their individual
resources. On the other hand, users depend on shared access to libraries,
utility programs, common data, and system tables. The distinction between isolation
and sharing is not always clear at the policy level, so the distinction cannot
be sharply drawn at implementation.
A third
potential problem area is incomplete
mediation. Recall that Saltzer [SAL74]
recommended an operating system design in which every requested access was
checked for proper authorization. However, some systems check access only once
per user interface operation, process execution, or machine interval. The
mechanism is available to implement full protection, but the policy decision on
when to invoke the mechanism is not complete. Therefore, in the absence of any
explicit requirement, system designers adopt the "most efficient"
enforcement; that is, the one that will lead to the least use of machine
resources.
Generality is a fourth protection weakness, especially among commercial
operating systems for large computing systems. Implementers try to provide a
means for users to customize their operating system installation and to allow
installation of software packages written by other companies. Some of these
packages, which themselves operate as part of the operating system, must
execute with the same access privileges as the operating system. For example,
there are programs that provide stricter access control than the standard
control available from the operating system. The "hooks" by which
these packages are installed are also trapdoors for any user to penetrate the
operating system.
Thus, several well-known
points of security weakness are common to many commercial operating systems. Let
us consider several examples of actual vulnerabilities that have been exploited
to penetrate operating systems.
Examples of Exploitations
Earlier, we discussed why the
user interface is a weak point in many major operating systems. We begin our
examples by exploring this weakness in greater detail. On some systems, after
access has been checked to initiate a user operation, the operation continues
without subsequent checking, leading to classic time-of-check to time-of-use flaws. Checking access permission with
each character transferred is a substantial overhead for the protection system.
The command often resides in the user's memory space. Any user can alter the
source or destination address of the command after the operation has commenced.
Because access has already been checked once, the new address will be used
without further checkingit is not checked each time a piece of data is
transferred. By exploiting this flaw, users have been able to transfer data to
or from any memory address they desire.
Another example of
exploitation involves a procedural problem. In one system a special supervisor
function was reserved for the installation of other security packages. When
executed, this supervisor call returned control to the user in privileged mode.
The operations allowable in that mode were not monitored closely, so the
supervisor call could be used for access control or for any other high-security
system access. The particular supervisor call required some effort to execute,
but it was fully available on the system. Additional checking should have been
used to authenticate the program executing the supervisor request. As an
alternative, the access rights for any subject entering under that supervisor
request could have been limited to the objects necessary to perform the
function of the added program.
The time-of-check to
time-of-use mismatch described in Chapter 3
can introduce security problems, too. In an attack based on this vulnerability,
access permission is checked for a particular user to access an object, such as
a buffer. But between the time the access is approved and the access actually
occurs, the user changes the designation of the object, so that instead of
accessing the approved object, the user now accesses another, unacceptable, one.
Other penetrations have
occurred by exploitation of more complex combinations of vulnerabilities. In
general, however, security flaws in trusted operating systems have resulted
from a faulty analysis of a complex situation, such as user interaction, or from
an ambiguity or omission in the security policy. When simple security
mechanisms are used to implement clear and complete security policies, the
number of penetrations falls dramatically.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.