20 771 computer security lecture 5 server security unix
Download
1 / 35

20-771: Computer Security Lecture 5: Server Security, Unix - PowerPoint PPT Presentation


  • 149 Views
  • Uploaded on

20-771: Computer Security Lecture 5: Server Security, Unix. Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2002. Today’s lecture. Server Security Crashing machines and Stacheldraht! Break (10 min) Unix Server Unix Access Control

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' 20-771: Computer Security Lecture 5: Server Security, Unix' - yule


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
20 771 computer security lecture 5 server security unix

20-771: Computer SecurityLecture 5: Server Security, Unix

Robert Thibadeau

School of Computer Science

Carnegie Mellon University

Institute for eCommerce, Fall 2002


Today s lecture
Today’s lecture

  • Server Security

    • Crashing machines and Stacheldraht!

  • Break (10 min)

  • Unix Server

    • Unix Access Control

  • Code to check SUID bits


Sept 11
Sept 11

Presentation


This week
This Week

Chapters 4,5 WS


Server side security
Server Side Security

  • Webjacking : Editing a page without your permission.

  • Stealing information.

  • Disabling your web site.

  • Authenticating Users, Authorizing Users


Why are web sites vulnerable
Why are Web Sites Vulnerable

  • Bugs in System Software

  • System Software is Incorrectly Configured

  • The Server Hardware isn’t Secure

  • Networks are Not Secure

  • Remote Authoring and Administration Tools Open Holes

  • Insider Threats are Overlooked


Bugs in system software
Bugs in System Software

  • System self destructs and hardware lost

  • System self destructs and software/data lost

  • System crashes and needs reboot

  • Software crashes and needs restarting

  • Software runs slowly/non-responsively

  • Software does something not intended

  • Software “feature” a nuisance


The buffer overrun
The “Buffer Overrun”

  • Really a whole range of attacks :

    • A program is handed long arguments. Causes program to fail but leaves user with write-priviledges.

    • A program is handed arguments that are interpreted and therefore possible can be run.

    • Never use “exec” or “system” in cgi-bin

  • How common is it for a program/module to fail if given the wrong arguments?

  • Koopman.pdf


Koopman 2000 data buffer overuns live on
Koopman 2000 DataBUFFER OVERUNS LIVE ON!


Denial of service large numbers of computers are recruited to create an attack
Denial of Service Large numbers of computers are recruited to create an attack

Stacheldraht (Barbed Wire) first reported by David Dittrich University of Washington December 29, 1999 (basis for giant DoS in Jan 2000):

  • The Client:

    • The client connects to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken”. Attacker uses client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.

  • The Master Server:

    • The master server handles all communication between client and agent programs.

  • The Agent:

    • The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.


Denial of service ii large numbers of computers are recruited to create an attack
Denial of Service II Large numbers of computers are recruited to create an attack

Stacheldraht (Barbed Wire):

  • The Client:

    • Attacker uses client to manage Stacheldraht agents.

  • The Master Server:

    • The master server handles all communication between client and agent programs.

  • The Agent:

    • Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

  • The Attack:

    • Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines.

  • Where and How:

    • Stacheldraht agents were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". They are often witnessed "in the wild".


Stacheldraht model
Stacheldraht Model

Master Server A

Master Server B

Client

AGENT N

AGENT A

First set up a bunch of master servers

Set up thousands of agents

Now say “march!” through any one or more of

Your master servers.

AGENT B

YOU N

YOU 1

YOU 2


Stacheldraht commands
Stacheldraht Commands!

.distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server",using the account "user" (e.g., "rcp [email protected]:linux.bin ttymon")

.help Prints a list of supported commands.

.killall Kills all active agents.

.madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims.

.mdie Sends die request to all agents.

.mdos Begins DoS attack.

.micmp ip1[:ip2[:ipN]] Begin ICMP flood attack against specified hosts.

.mlist List IP addresses of hosts being DoS attacked at the moment.

.mping Pings all agents (bcasts) to see if they are alive.

.msadd Adds a new master server (handler) to the list of available servers.

.msort Sort out dead/alive agents (bcasts). (Sends pings and shows counts/percentage of dead/alive agents).


Stacheldraht commands 2
Stacheldraht Commands! 2

.mstop ip1[:ip2[:ipN]]

.mstop all Stop attacking specific IP addresses, or all.

.msrem Removes a master server (handler) from the list of availableservers.

.msyn ip1[:ip2[:ipN]] Begin SYN flood attack against specified hosts.

.mtimer seconds Set timer for attack duration. (No checks on this value.)

.mudp ip1[:ip2[:ipN]] Begin UDP flood attack against specified hosts. (Trinoo DoS emulation mode.)

.setisize Sets size of ICMP packets for flooding. (max:1024, default:1024).

.setusize Sets size of UDP packets for flooding (max:1024 default:1024).

.showalive Shows all "alive" agents (bcasts).

.showdead Shows all "dead" agents (bcasts).

.sprange lowport-highport Sets the range of ports for SYN flooding (defaults to lowport:0, highport:140).


Syn floods
SYN Floods

  • TCP Synchronization Handshake Attack

    • C-SYN S-SYN-ACK C-ACK (triple, but you stop at 2)

  • The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.

  • netstat -a -f inet

    • Too many connections in the state "SYN_RECEIVED" indicates that the system is being attacked.


If staheldraht did that then
If Staheldraht did that then …

  • What is going silently and without destruction?

  • Armies of agents?

    • Probably



Security policy components
Security Policy Components

  • Personnel

    • Access Levels

    • Authorization Procedures

    • Revocation of Authorization

  • Access Priviledges

    • Local Login

    • Network Login

    • Authoring Access

    • Remote Server Administration

    • Browsing Access

    • CGI-Script Installation

    • Access to the /private directory


Security policy components1
Security Policy Components

  • Personnel

  • Access Priviledges

  • Network Services

    • Web

    • FTP

    • Other (no other)

  • Maintanence

    • 24X7

    • Backups


Setting up unix
Setting up Unix

  • Apply vendor OS patches

  • Turn off unessential services

  • Add minimum number of user accounts

    • Make a back door for your self to do admin for awhile

  • Get the file and directory permissions right

  • NOW YOU CAN PUT UNIX ON THE INTERNET!

    • Lots of automated programs probe to get trojan horses on your machine and this can happen FAST!

    • Fastest we’ve seen in Computer Science: 11 Minutes and we had to rebuild the machine.


Unix access
Unix Access

  • User and Group Access Rights is the Basis for Unix Security

    • Read, Write, Execute on a file/directory/device

  • The biggest TCO (total cost of ownership) in a computer system is administering and working with access control.

    • Because things just don’t work until you get the access rights working properly

    • People think it is something wrong with the program when it is really just the security environment that is set wrong.

  • A GREAT REASON to REALLY LEARN YOUR ACCESS CONTROL SYSTEM!


Unix access protections
Unix Access Protections

  • What has access protections u-rwx g-rwx o-rwx?

    • Files

    • Directories

    • Devices (/dev/)

    • Programs (must have execute bit set).

  • All these have ONE user and ONE group that owns them.

  • Each User is ONE user and ONE DEFAULT group but many group memberships.

  • Types of protections applied when creating/modifying

    • User : rwx (u-rwx, -rwx------, or 0700)

    • Group : rwx (g-rwx, ----rwx---, or 0070) – other members of user’s group

    • Other : rwx (o-rwx, -------rwx, or 0007)

    • A directory : d (d--------- -> set automatically by file system)

    • SGID : (-----s--- or 2000) inherit group protections

    • umask 002 : automatically let everybody in group rwx

      • Need private user group : user mary, group mary if umask 002 not 022.

  • A user can be a member of many groups but only the primary defaults to write unless directory permission is set to overcome user permission (sgid bit set on directory).

  • When access is provided to a group, every member gets it.


Unix access permission model
Unix Access Permission Model

FILE / DIRECTORY / DEVICE / INODE

User A - Group A

2

Other Execute 1

Group Write 2

Other Write 2

Group Execute 1

Set GUID 2

Group Read 4

Other Read 4

Set Sticky 1

User Write 2

Set UserID 4

User Read 4

User Execute 1

1

4

2

OTHER

GROUP A

GROUP C

USER C

Group A

USER B

Group B

GROUP B

USER A

Group A


Special bits do one thing each drwsrwsrwt
Special Bits do ONE thing eachdrwsrwsrwt

  • 4 Set User ID : causes an executable file (a program) to go into the access permissions of the owner of the file (note, group or OTHER could execute it!) not the person executing it. SUID to root is dangerous.

  • 2 Set Group ID : causes a new file that is being created in a directory to have the group ID of the directory, not the default group of the person (User) that is creating the file.

  • 1 Sticky Bit : Causes a new file that is being created in a directory to not be deletable by just anybody in that directory but by the user who created the file.


Seeing who you pretend to be
Seeing Who you Pretend to Be.

  • #!/bin/sh #idinfo: Print user informationecho " effective user-ID:" id -un echo " real user-ID:" id -unr echo " group ID:" id -gn


Set user id test
Set User ID Test

  • /*suidtest.c*/ #include <stdio.h> #include <unistd.h> int main(){ /*secure SUID programs MUST *not trust any user input or environment variable!! */ char *env[]={"PATH=/bin:/usr/bin",NULL}; char prog[]="/home/alice/idinfo"; if (access(prog,X_OK)){     fprintf(stderr,"ERROR: %s not executable\n",prog);     exit(1); } printf("running now %s ...\n",prog); execle(prog,(const char*)NULL,env); perror("suidtest"); return(1); }


More on suid
More on SUID

  • gcc -o suidtest -Wall suidtest.c

  • chmod 4755   suidtest OR

  • chmod u+s   suidtest

  • ls –l suidtest

  • suidtest idtest

  • Set-UID programs are often used by "root" to give ordinary users access to things that normally only "root" can do. As root you can e.g modify the suidtest.c to allow any user to run the ppp-on/ppp-off scripts on your machine.

  • Note: It is possible to switch off Suid when mounting a file system. If the above does not work then check your /etc/fstab. It should look like this:/dev/hda5 / ext2 defaults 1 1 If you find the option "nosuid" there then this Suid feature is switched off. For details have a look at the man-page of mount.


Suid user bit
SUID User Bit

  • If root owns the file with s-bit set. Any user can then do things that normally only root can do.

  • A few words on security.

  • When you write a SUID program then you must make sure that it can only be used for the purpose that you intended it to be used.

  • Always set the path to a hard-coded value.

  • Never rely on environment variables or functions that use environment variables.

  • Never trust user input (config files, command line arguments....). Careful on BUFFER OVERFLOWAAA…!

  • Check user input byte for byte and compare it with values that you consider valid.


Umask
umask

  • Applies only when you are creating a file (directory, device…)

  • 022 is the general default : only you can write a file but everybody else can read and execute it. It is a mask on the file settings given by environment.

  • 002 lets everybody in your group write the file.

  • 000 lets everybody write the file.

  • 277 lets only you read and execute (safety)

  • Just type “umask 277” in a shell window and now when you make a file, it will have these attributes.


Unix access control is
Unix Access Control is

  • VERY SIMPLE! Only four sets of three bits for any file or directory (or device)

  • You are you, a member of a default group, and a member of N other groups.

  • You have a umask which limits the access to any file or directory you create.

  • Three of the four sets of three bits are read-write-execute for you, ONE group—usually your default, and others (anybody else)

  • One is 3 special bits with special purposes that let

    • an executable do things you can’t do,

    • let you work with a group in a group directory, and

    • let you let a group read and write but they can’t delete your file (modify only).



P3p personal info privacy
P3P : Personal Info Privacy

  • www.w3.org/p3p yuan.ecom.cmu.edu/privacy p3p.jrc.it – JAVA CODE

  • Client makes any first http request

  • Server includes in its http response header a pointer to its p3p policyref (policy reference page).

  • Client MAY now check the p3p policyref before proceeding to any next interaction with the server.

  • Method is to apply APPEL rules.

  • Each APPEL rule looks at a part of the policyref and decides to ACCEPT, REJECT, INFORM or WARN the person.


P3p xml tree

POLICY

EXTENSION (EXT)

Who is the organization?

EXT

ENTITY

DATA-GROUP

EXT

DISPUTES

EXTENSION

DISPUTES-GROUP

If Privacy violated?

ACCESS

What info can you, as a user, access --.e.g, your retirement balance?

STATEMENT

What privacy do they promise and about what?

EXT

DATASCHEMA

Special data representations, car.year.model

P3P XML Tree


P3p summary
P3P Summary

other/

location/

physical/

law/

money/

correct/

CATEGORIES/

online/

content/

uniqueid/

REMEDIES

state/

purchase/

political/

financial/

DISPUTES

law/

navigation/

health/

Service/

computer/

interactive/

preference/

resolution-type

IMG

Independent/

demographic/

court/

none

ACCESS

All/

PURPOSE/

current/

Contact_and_other/

customization/

admin/

Other_ident/

Contact/

Nonident/

develop/

Ident_contact/

Other-purpose/

Targeting/

ours/

profiling/

RECIPIENT/

same/

Legal-requirement/

RETENTION/

Other-recipient/

Business-practices/

delivery/

unrelated/

public/

indefinitely/

No-retention/

Stated-purpose/


Appel rules
APPEL Rules

  • If you are taking my name and the recipient is “other recipient” maybe I want to reject.

  • If you are taking my name and the recipient is “other recipient” but there is extended text (the machine can’t read this – only know it is there) then maybe I WARN and put this text in the warning window.


ad