Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture Securing Unix Topics Trusted Unix Releases Unix Security Risks Set-uid Buffer Overflow Problems July 1, 2003 CSCE 517 Forensic Computing.

Published byMilo Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture Securing Unix Topics Trusted Unix Releases Unix Security Risks Set-uid Buffer Overflow Problems July 1, 2003 CSCE 517 Forensic Computing."— Presentation transcript:

1 Lecture Securing Unix Topics Trusted Unix Releases Unix Security Risks Set-uid Buffer Overflow Problems July 1, 2003 CSCE 517 Forensic Computing

2 – 2 – CSCE 517 Sum 03 Unix Wrapup Password file structure Group file Superusersusudosetuidguid Buffer Overflow http://secinf.net/uparticle/l/p49-14.txt

3 – 3 – CSCE 517 Sum 03 Unix History 1965 Multics Operating Systems project, a multiuser, multiple concurrent users, data sharing 1969 Ken Thompson at Bell Labs developed an operating system he called Unix (a pun on Multics) 1970 Dennis Ritchie developed the language C and a compiler for it. Thompson wrote the second version of Unix largely in C (90% C 10% assembly language) Late 1970’s - Bell Labs effectively gave away Unix to universities BSD (Berkeley Software Division) branch 1991 Linux - a graduate student, Linus Torvalds, implemented an open source version of Unix Linus TorvaldsLinus Torvaldshttp://www.levenez.com/unix/

4 – 4 – CSCE 517 Sum 03 Open Source Systems Unix was almost the first open-source, but Bell Labs really retained some of the rights GNU Free Software Foundation Gnu emacs – Richard Stallman gcc - gnu c compilerLinux Red Hat Mandrake … Open BSD a “hardened” system

5 – 5 – CSCE 517 Sum 03 OpenBSD Derived from BSD branch Pays special attention to security issues Security Benefits “Out-of-the-box” hardened system configuration; no effort Strong Cryptography up and ready OpenSSH – remote secure shell (secure “telnet”) IPSec - Strong PRNG (Pseudo Random Number Generator) http://www.openbsd.org Standard Linux releases can be configured “hardened” but OpenBSD comes that way.

6 – 6 – CSCE 517 Sum 03 OpenSSH The problem with telnet – SSH – Secure Shell, … “What is Secure Shell” FAQ http://www.employees.org/~satch/ssh/faq Is it a Protocol or Program?

7 – 7 – CSCE 517 Sum 03 OpenSSH Servers and Clients SSH servers OpenSSH Project SSH Clients Putty https://www.cse.sc.edu/FTP Lists: http://www.ece.nwu.edu/~mack23/ssh-clients.html http://www.freessh.org http://www.freessh.org SCP – secure copy, http://www.I-tree.org SSH Resources Implementation – Univ Florida paper http://www.boran.com/security/sp/ssh-part1.html

8 – 8 – CSCE 517 Sum 03 SSH Implementation

9 – 9 – CSCE 517 Sum 03 IPSec

10 – 10 – CSCE 517 Sum 03 Strong PRNG Strong PRNG (Pseudo Random Number Generator)

11 – 11 – CSCE 517 Sum 03 Multilevel Trusted Systems http://www.sei.cmu.edu/str/descriptions/trusted_body.html Principles of trusted operating systems (TOS)  The principle of least privilege  Mandatory Access Controls – a means of restricting access to objects based on the sensitivity of the information  Privilege bracketing – enabling and disabling privilege around the smallest section of code that really needs it Trusted Solaris Trusted BSD NSA (National Security Agency) http://www.nsa.gov/selinux/index.html

12 – 12 – CSCE 517 Sum 03 Unix Security Risks  Poorly chosen passwords Ref  Old/misconfigured/buggy network daemons Use of telnet, ftp, rsh, …  Buggy privileged programs (setuid/setgid)  Filesystem nightmares  Insecure applications

13 – 13 – CSCE 517 Sum 03 Unix Password Structure Original Scheme /etc/passwd Format login:encryptedPassword: Commands that access name info: Who, ls, fingercrypt

14 – 14 – CSCE 517 Sum 03 Shadow Passwords A number of useful Unix commands make use of much of the information in the password file. But, why does the encrypted password need to be there? It doesn’t move this to /etc/shadow that only root can read!

15 – 15 – CSCE 517 Sum 03 Password Common Sense Use good strong ones! http:// Modified Phrase Acronyms (keep punctuation, insert special) “I left my heart in San Francisco”  !lmyi$F Educate Users on common mistakes Ref Shear idiocy: Blank, Login, loginReversed Other Simple ones Check up on users Dictionary checks Use proactive password checkers Check the password as entered for quality

16 – 16 – CSCE 517 Sum 03 Password Procedures Enforce lock down after 3 to 5 failures Help Desk “password reset” procedures Help desk call - “this is Dean White reset my password!” Procedures: phone back at preset number or voicemail Don’t reset password always to the same value or to a value that is a function of the user (Soc-Sec) Use phonetic password generator – so they can be pronounced over the phone Password Station - electronic reset of passwords http://www.passwordstation.net Avoid hardcoding passwords in scripts!

17 – 17 – CSCE 517 Sum 03 Set UID / Set GID The Need Consider the problem of a user changing their password. How can they be allowed to write the entry in the file /etc/shadow? This would mean they could change other user’s passwords. Setuid – Normally when a program runs it runs as the user that started it A setuid program “changes the user id” to the owner of the file that contains the program ls –l /bin/passwd Thus /bin/passwd runs with the priviledges of “root” chmod 01755 file ???

18 – 18 – CSCE 517 Sum 03 Set UID / Set GID Set UID programs are necessary No passwd command  System Admin called each time a password is changed !? Set UID files Extreme care must be used in their implementation One failure of a setuid application  game over, the attacker has root priviledge http://www.safermag.com/html/safer25/alerts/33.html Set-gid wrinkles Works the same way but Can be set on a directory, which inherited by each file in the subtree.

19 – 19 – CSCE 517 Sum 03 Exploiting Set UID Programs Skeleton of a setuid program Non-priviledged section code Setuid system call priviledged section code Restore uid with another setuid syscall Non-priviledged section code Note the problem is not just writing secure priviledged sections, because a problem in the non-priviledged section can lead to another setuid call ! A buffer overflow anywhere in a setuid program can result in someone becoming root. A buffer overflow anywhere in a setuid program can result in someone becoming root. Setuid, exec shell

20 – 20 – CSCE 517 Sum 03 Set UID Programs Unix systems ship with typically 70-100 setuid programs Passwrd, ping … SecurityFocus.com BugTraq reports of new setuid problems So what is a Systems Administrator to do? Setuid lock-down tips Solaris http://ist.uwaterloo.ca/security/howto/2000-08-17http://ist.uwaterloo.ca/security/howto/2000-08-17 Linux

21 – 21 – CSCE 517 Sum 03 Set UID Lockdowns  Avoid installing the full installation  List set uid/set gid programs find / -perm –u+s –print find / -perm –g+s –print  For those that only root needs to run remove setuid bit  Identify setuid programs that leak information Ps, top, netstat  Identify setuid programs that only a trusted group needs; remove access to “others”  Identify those that you think no one will ever need. AUSCERT wrapper  For essential ones modify the AUSCERT wrapper Don’t accept long arguments or environment variables

22 – 22 – CSCE 517 Sum 03 Breaking Set UID Programs for Fun and Profit

23 – 23 – CSCE 517 Sum 03 Umask What are the default permissions set on a file when it is created? The umask is an mask that is used to mask out bits in the permissions. e.g. if umask is 023 then Group – 2 = 010  ‘w’ is masked out Others – 3 = 011  ‘w’ and ‘x’ are masked out Umask manipulation Umask command – can be run at prompt but usually in setup scripts Common default 022 Frequently set in /etc/profile

24 – 24 – CSCE 517 Sum 03 Umask Dangers In Unix the way one process creates another is using the system call fork. Umask is inherited across forks Init is the process that creates various “login processes” which create the shells, which create user files If init has has too loose of a umask then too many files will be readable.

25 – 25 – CSCE 517 Sum 03 Chroot for servers

26 – 26 – CSCE 517 Sum 03 Caveats of Chroot Not a virtual computer; it’s a filesystem abstraction Escape from chroot jail  If process has root access the game is over. To Break out first create devices to access memory directly then modify the process’s idea of the root directory  http://www.bpfh.net/simes/computing/chroot-break.html http://www.bpfh.net/simes/computing/chroot-break.html  User Mode Linux (UML) – http://user-mode-linux.sourceforge.net/

27 – 27 – CSCE 517 Sum 03 Root Privileges Managing the password of root  Use a strong password  Never let a naïve or reckless user have the password.  Disable remote root logins  Use su to gain root access Su – switch user

28 – 28 – CSCE 517 Sum 03 Sudo Use to permit/control access to privileged programs e.g., sudo ethereal

29 – 29 – CSCE 517 Sum 03 Rootkit Countermeasures http://www.tripwire.org http://www.kernelhacking.org http://packetstormsecurity.nl/Unix/penetration/rootkits LKM support

30 – 30 – CSCE 517 Sum 03 R-Services TCP ports 513 and 514 rlogindrshd r-Services Risks Just don’t use them or telnet or FTP! Use SSH

31 – 31 – CSCE 517 Sum 03 Assessing Vulnerabilities of a Unix System  Use network based scanner tool to identify remotely exploitable security holes (e.g., Nessus discussed later)  Prioritize by risk analysis  Draw up and execute plan for fixing the problems  Use network based scanner tool to identify locally exploitable security holes  Identify biggest risks and get to work. Scanners, Intrusion Detection Systems, etc. later

32 – 32 – CSCE 517 Sum 03 Unix Host Lockdown Host lockdown is the process of making a system compliant with the established security policy Approaches Manually make the changes Manually make the changes Develop a script or scripts to automate the changes Develop a script or scripts to automate the changes Use a hardening tool Use a hardening tool Host hardening tools YASSP (Yet Another Solaris Security Package) http://www.yassp.org TITAN http://www.fish.com/titanhttp://www.fish.com/titan Bastille Unix http://www.bastille-linux.org/http://www.bastille-linux.org/

33 – 33 – CSCE 517 Sum 03 Buffer Overflow Problems A lot of well known attacks on systems take advantage of buffer overflows Activation Stack – stores local variables, return address for each separate function call

34 – 34 – CSCE 517 Sum 03 IA32/Linux Stack Frame Current Stack Frame (“Top” to Bottom) Parameters for function about to call “Argument build” Local variables If can’t keep in registers Saved register context Old frame pointer Caller Stack Frame Return address Pushed by call instruction Arguments for this call Stack Pointer ( %esp ) Frame Pointer ( %ebp ) Return Addr Saved Registers + Local Variables Argument Build Old %ebp Arguments Caller Frame

35 – 35 – CSCE 517 Sum 03 Buffer Overflow Stack echo: pushl %ebp# Save %ebp on stack movl %esp,%ebp subl $20,%esp# Allocate space on stack pushl %ebx# Save %ebx addl $-12,%esp# Allocate space on stack leal -4(%ebp),%ebx# Compute buf as %ebp-4 pushl %ebx# Push buf on stack call gets# Call gets... /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo

36 – 36 – CSCE 517 Sum 03 Malicious Use of Buffer Overflow Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit code void bar() { char buf[4]; gets(buf);... } void foo(){ bar();... } Stack after call to gets() B return address A foo stack frame bar stack frame B exploit code pad data written by gets()

37 – 37 – CSCE 517 Sum 03 Buffer Overflow Ex. Activation Record for bar() Arguments Return address (4 bytes) Local variables buf[4] How do you get foo to return somewhere other than 04100000? Is this Big or Little Endian? 101004 100901 100800 100700 1006 1005 1004 1003 1002 1001 1010 0999 0998 0997 0996 0995 foo RA buf[3] buf[2] buf[1] buf[0] bar RA

38 – 38 – CSCE 517 Sum 03 Avoiding Overflow Vulnerability Use Library Routines that Limit String Lengths fgets instead of gets strncpy instead of strcpy Don’t use scanf with %s conversion specification Use fgets to read the string /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); }

39 – 39 – CSCE 517 Sum 03 Avoiding Buffer Overflow Attacks Immunix Developed a modified compiler, StackGuard Linux Kernel patches System Call Wrappers

40 – 40 – CSCE 517 Sum 03 Buffer Overflow References-HowTo “Compromised-Buffer-Overflows, from Intel to SPARC Version 8” by Mudge from “@Stake” http://www.astake.com/research/advisories/1996/bufitos.pdf “The Tao of Windows Buffer Overflow” by Dildog again from @Stake http://www.cultdeadcow.com/cDc_files/cDc-351 ”Smashing the Stack for Fun and Profit” by Aleph1 of SecurityFocus.com, Issue 49 of Phrack http://www.shmoo.com/phrack/Phrack49/p49-14

41 – 41 – CSCE 517 Sum 03 Summary

Download ppt "Lecture Securing Unix Topics Trusted Unix Releases Unix Security Risks Set-uid Buffer Overflow Problems July 1, 2003 CSCE 517 Forensic Computing."

Similar presentations

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Linux’ Security Haifa Linux Club 21.10.99 Orr Dunkelman.

Linux’ Security Haifa Linux Club Orr Dunkelman.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Home: www.cse.dmu.ac.uk/~pkang Phones OFF Please Unix Kernel Parminder Singh Kang Home: www.cse.dmu.ac.uk/~pkang Email: pkang@dmu.ac.uk.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Mid 1960 ’ s - Multics - proposed by AT&T, Honeywell, GE & MIT; funded by DARPA 1969 - Thompson & Ritchie create Unix 1978 to 84 - Bill Joy & Chuck Haley.

Mid 1960 ’ s - Multics - proposed by AT&T, Honeywell, GE & MIT; funded by DARPA Thompson & Ritchie create Unix 1978 to 84 - Bill Joy & Chuck Haley.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Similar presentations

Ads by Google