Operating System Protection And Rings - Giac
Operating System Protection And Rings - Giac
Operating System Protection And Rings - Giac
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Operating</strong> <strong>System</strong> <strong>Protection</strong> <strong>And</strong> <strong>Rings</strong><br />
Jim Hurst
<strong>Operating</strong> <strong>System</strong> <strong>Protection</strong> <strong>And</strong> <strong>Rings</strong><br />
Introduction<br />
Hacker break-ins are so common that they are no longer news. This paper explores a<br />
system compromise from the other side: How does an operating system protect itself<br />
from attack? The short answer is that the OS applies layers of trust, or protection rings, to<br />
executing programs—with the kernel residing in the most privileged ring. User programs<br />
have restricted access to the resources of the privileged ring.<br />
The discussion briefly explains kernels and memory segregation into rings. It then<br />
explores how rings function in program execution, in addition to the attack mechanisms<br />
used for privilege escalation.<br />
Kernels: Micro, Monolithic, and Hybrid<br />
The operating system is the software that runs your computer, and the heart of the<br />
operating system is the kernel. The kernel functions as a liaison between the hardware<br />
and software. While hiding the implementation details from the other software that uses<br />
these devices, it manages access to memory, processor, and I/O devices. User programs<br />
use system calls and inter-process communications to request and receive resources from<br />
the kernel. The operating system normally segregates the available memory into a portion<br />
reserved for the kernel alone (the kernel space), and user space, where less privileged<br />
programs run.<br />
Kernels are categorized based on how they process in the same address space. A typical<br />
solution, done for efficiency, is for the kernel to run all code in a single large address<br />
space. This is referred to as a monolithic kernel, and it is the solution that Linux, Unix,<br />
and Mac OS use. In contrast, QNX and other systems provide only basic services in the<br />
kernel and make system calls to user space programs to provide other functions. The<br />
Windows NT kernel (used in Windows 2000, XP, 2003, and Vista) is known as a hybrid<br />
kernel, because it combines aspects of both monolithic and micro kernels.<br />
The security implications of hybrid kernel are huge. The power to execute code in the<br />
kernel space implies complete ownership of the system. Therefore, system architects and<br />
security engineers must guarantee the integrity of all software running in the kernel. One<br />
way an intruder can completely subvert a system is to run hostile code in kernel space.<br />
All common modern operating systems are multitasking, which simply means that the<br />
operating system runs many different programs at once. It does so by assigning each of<br />
the different programs their own section of memory (their address space) and sharing the<br />
processor cycles among the programs (time-sharing). This is a powerful technique, which<br />
allows one to listen to music while working on a document, with both a chat window and<br />
a browser open. It also presents a security risk: How do you prevent hostile programs<br />
from accessing unauthorized data?<br />
OS <strong>Rings</strong><br />
In practice, this means that formal mechanisms must be in place to segregate the trusted<br />
operating system from untrusted user programs. The most reliable way to accomplish this<br />
is in hardware. If the segregation occurs in software, a software failure (such as a buffer
overflow) can be used to compromise the system. The first system to support rings in<br />
hardware was the MULTICS time-sharing system in the 1960s, which included eight<br />
rings. This approach of hardware-enforced rings has been almost universally adopted by<br />
later architectures.<br />
The most common CPU architecture in use today is the x86 compatible architecture.<br />
Beginning with the 80286 chipset, the x86 family has provided two main methods of<br />
addressing memory: real mode and protected mode. Real mode, limited to a single<br />
megabyte of memory, quickly became obsolete. Protected mode provided numerous new<br />
features to support multitasking. These included segmenting processes, so that they could<br />
no longer write outside their address space, along with hardware support for virtual<br />
memory and task switching.<br />
In the x86 family, protected mode uses four priority levels, numbered 0 to 3. <strong>System</strong><br />
memory is divided into segments, and each segment is assigned a priority level. The<br />
processor uses the priority level to determine what can and cannot be done with code or<br />
data within a segment. The term rings comes from the MULTICS system, where<br />
privilege levels were visualized as a set of concentric rings. Ring 0 is considered to be the<br />
innermost ring, with total control of the processor. Ring 3, the outermost ring, is provided<br />
only with restricted access.<br />
Windows, Linux, and most Unix variants all use rings, although they have generally<br />
dropped the four-ring structure and instead adopted a two-layer approach that uses only<br />
rings 0 and 3. Security mechanisms in the hardware enforce restrictions on ring 3 by<br />
limiting code access to segments, paging, and input/output. If a user program running in<br />
ring 3 tries to address memory outside of its segments, a hardware interrupt stops code<br />
execution. Some assembly language instructions are not even available for execution<br />
outside of Ring 0.<br />
<strong>Rings</strong> as Gated Communities<br />
The discussion above shows how the operating system is separated from user<br />
applications, as the kernel uses a different address space that is hardware-locked against<br />
access from users. This poses the question of how user applications communicate with<br />
the OS. Gates between rings provide user applications tightly controlled access to ring 0<br />
resources. An example of this occurs when a user attempts to connect to the Internet with<br />
a browser. The browser is requesting access to the network interface, which is a hardware<br />
resource controlled by ring 0. The operating system policies in place determine whether<br />
the privilege is granted. Privileged programs, such as a firewall client, on your computer<br />
an intercept the request and allow or deny it based on which application or user is making<br />
the request. Similar uses of policy occur in file protections: Policy can specify that only<br />
the owner of a file can access it. Therefore, when a user application attempts to read the<br />
file on the disk, the operating system in ring 0 verifies that the user is authorized for<br />
access before permitting the file read.<br />
The Gatekeepers: Device Drivers and Libraries<br />
Device drivers (or drivers) are the programs the operating system uses to read from and<br />
write to hardware devices. These are specialized programs written to provide an interface<br />
between a specific piece of hardware and a specific operating system. This makes device
drivers a target of hacker attacks. If a hacker can replace a device driver with his own<br />
version, the device driver runs in kernel space, and then it can be used to access to any<br />
resource on the system.<br />
That is why the Windows operating system is particularly finicky about replacing device<br />
drivers. It prefers to use drivers that Microsoft has digitally signed.<br />
By using strong public key cryptography to verify the authenticity of a piece of software,<br />
the operating system makes it harder for malicious drivers to be installed (unless, of<br />
course, the user overrides the warning, which happens routinely).<br />
When a user program needs to access privileged resources, it makes a system call, which<br />
causes execution to transfer from the user program to a kernel library function. The<br />
calling program is interrupted, information to restart it later is saved in the call stack, and<br />
the library code begins to execute in privileged mode. When the library function<br />
completes its execution, the call stack is unwound to restore the processor state, and<br />
control is returned to the user program. If the library function takes some time to execute,<br />
the user program can be blocked for the duration. One common set of library routines is<br />
the C library (libc or MSLibC). These libraries handle the details of passing control from<br />
user to kernel programs and switching to supervisor mode.<br />
Privilege Escalation<br />
There are several ways that attackers attempt to beat this system. Because user programs<br />
are effectively in a memory jail and cannot access the kernel address space, the intruder<br />
goal is usually to overwrite some piece of code on the file system with a corrupted<br />
version that gives the hacker privileges. If a rogue program can replace a system<br />
executable with a hacked version, full ownership of the system can be achieved.<br />
There are two classic ways to hack a system in this manner<br />
• Create a buffer overflow in an existing program and use this to execute hacker<br />
code.<br />
• Trick the user into executing a hostile program through a web browser, mail<br />
program, or other application.<br />
After the hostile code is executing in user space, it has all the rights of the current user.<br />
The hackers want full ownership of the system. In many cases, executing any code<br />
provides full control, because users often have administration rights. There is no need for<br />
a typical corporate desktop user to have full privilege, so these users are over-privileged<br />
(this is the default profile in Microsoft Windows, for example). In the enterprise,<br />
establishing profiles with minimal user privilege is a good policy that helps protect the<br />
operating system from compromise.<br />
Fully compromising a system where users do not have administration privileges takes<br />
more work. The hacker has established a beachhead by executing the hostile code, but<br />
she must find some way to increase her access (privilege escalation). There are numerous<br />
techniques to accomplish this, but in essence, they must trick the kernel into executing a<br />
piece of hacker code.
Not all programs are created equally. Hackers often exploit bugs in programs running in<br />
privileged mode. From compromised user account, the hacker can run a buffer overflow<br />
exploit in a system executable that runs with full privileges. In Windows, this often<br />
means an exploit against a Windows Service, because it operates in privileged mode. In<br />
Unix, programs with suid root and world execute permissions are common targets for<br />
privilege escalation.<br />
Another approach is to trick the system into installing a compromised device driver,<br />
perhaps by convincing the user into downloading from a hostile server. The new device<br />
driver then opens up the system to the hacker, which can open network ports that can be<br />
used for remote access.<br />
Summary<br />
Maintaining information security requires absolute confidence in your operating system<br />
software. <strong>System</strong> designers have approached this by separating the operating system<br />
address space from that the user processes. Most CPU designs support this in hardware.<br />
Ring 0 is memory space where the operating system executes, and ring 3 is where user<br />
applications reside. To achieve full control of a system, intruders need a way to run<br />
programs in ring 0. They can do this by exploiting bugs in privileged programs or by<br />
replacing privileged programs, such as device drivers, with compromised versions.<br />
A well configured system is resistant to privilege escalation and unauthorized access.<br />
This requires the integrity of the operating system software, which is protected by layers<br />
of privilege within the hardware. All hail Ring 0!<br />
References<br />
Websites:<br />
<strong>Rings</strong> in Computer Security<br />
http://en.wikipedia.org/wiki/Ring_%28computer_security%29<br />
Rootkits on a PCI Card?<br />
http://securitywatch.eweek.com/rootkits/rootkits_on_a_pci_card.html<br />
The Quest for Ring 0<br />
http://www.securityfocus.com/columnists/402/3<br />
Papers<br />
Jerome H. Saltzer, Michael D. Schroeder, The <strong>Protection</strong> of Information in Computer<br />
<strong>System</strong>s<br />
http://cap-lore.com/CapTheory/ProtInf/<br />
Intel Corporation Intel Architecture Software Developer's Manual Volume 3: <strong>System</strong><br />
Programming<br />
http://download.intel.com/design/PentiumII/manuals/24319202.pdf
William J. Caelli: Relearning "Trusted <strong>System</strong>s" in an Age of NIIP: Lessons from the<br />
Past for the Future.<br />
http://cisse.info/history/CISSE%20J/2002/cael.pdf