4/23/ Immunix & Defcon: Defending Vulnerable Code From Intense Attack Crispin Cowan, Ph.D Seth Arnold, Steve Beattie, Chris Wright WireX and John Viega, Secure Software

4/23/ Talk Outline About WireX and Immunix –Secure Linux Systems The Defcon Challenge –Defend vulnerable code against massive attack Technology Transfer –Commercial products built on this technology

4/23/ Software Security Software security is really simple: Make sure you only run perfect software Uh-oh :-) Intrusion Prevention: –Systems that detect attack attempts in real time, and reject them When bugs occur, they are not exploitable –Attacker cannot exploit the bug to gain unintended privileges

4/23/ Immunix Security Technologies Shipping: StackGuard: stops buffer overflows FormatGuard: stops printf format bugs RaceGuard: stops temp file races SubDomain: contains vulnerable programs

4/23/ StackGuard Stack Smashing Problem: –Weak bounds checking on inputs in C programs –Attacker overflows input buffer, corrupting adjacent state to gain control of the program –Most common target: function return address on the stack StackGuard: –C compiler enhancement –Ornaments call stack to detect corruption –Very low performance overhead –WireX has been shipping fully StackGuard’d system since 1999

4/23/ FormatGuard Format String Problem: Sudden discovery in June 2000 –Vulnerability in WU-FTPD –Followed by hundreds of similar vulnerabilities Basis: arcane %n printf format string directive –Treat corresponding argument as an int * –Write back number of items formatted so far Problem: programs that pass un-filtered user input strings direct to printf FormatGuard: –Similar to StackGuard –compiled defense against printf format string vulnerabilities –CPP macro Counts arguments at the call site at compile time Compares that number to the format string presented at run time

4/23/ RaceGuard Temporary File Race Problem: –Portable procedure for temporary file creation is non-atomic –If attacker gets in the middle, can redirect temporary file creation by privileged programs to corrupt the system RaceGuard: –Kernel enhancement to detect race attacks mid- way through –Abstract method: detect changes between stat() and open() accesses to the same file name

4/23/ Containment If your software is vulnerable anyway, you need to contain it so that it runs with the least privilege necessary to perform designated function Chroot: basic isolation for vulnerable programs Immunix SubDomain: flexible confinement for vulnerable programs

4/23/ Containment With Chroot “Change root”: makes some subdirectory appear to be the root (“/”) directory for the calling process and its children –Available as both a shell command and a system call Effect: chroot’d programs cannot affect anything outside the chroot “jail” –Limits impact of bugs in program, e.g. chroot BIND Benefits: Standard: Comes with most UNIX’s Compatible: several current programs have been modified to work within a chroot jail Fast: no performance degradation Limitations: Work: must move copies of everything a jailed program needs into the jail Isolation: jailed program cannot interact at all with the rest of the system

4/23/ Containment With Immunix SubDomain Part of Immunix Kernel Extension: –Specify the list of files that a SubDomained program may access Effect: SubDomained programs cannot affect anything they don’t explicitly need access to –Limits impact of bugs in program, e.g. SubDomain CGI scripts Benefits: Flexible: SubDomained programs can have controlled interaction with the rest of the system Compatible: SubDomain can confine binary programs without modifications Fast: 1% or less performance overhead Limitations: Work: must specify “shape” of SubDomain

4/23/ Containing PHF PHF: infamous vulnerable CGI script –legitimate function: database lookup of user information –sloppy parsing of CGI input –can get PHF to start an xterm on an arbitrary display To SubDomain PHF: –Specify all the files that PHF needs Effect: –access to all other files is denied –Including xterm :-) Place this file in /etc/subdomain.conf/phf /home/httpd/cgi-bin/phf { /bin/sh x, /etc/ld.so.cache r, /etc/nsswitch.conf r, /lib/ld-linux.so.2 r, /lib/libc.so.6 r, /lib/libtermcap.so.2 r, /usr/local/bin/ph ix, }

4/23/ WireX Systems: Immunix Secure OS Linux system similar to Red Hat Linux RPM based All source-available programs compiled with StackGuard and FormatGuard –PointGuard in future releases Kernel equipped with SubDomain and RaceGuard All network-accessible daemons SubDomain-profiled

4/23/ Experimentation... Some real-world red teaming Play an Immunix server in the Defcon Capture the Flag (CtF) games Almost no holds barred: –No flooding –No physical attacks New gaming rig designed by the Ghettohackers

4/23/ Basic Defcon CtF Rules Player Nodes

4/23/ Basic Defcon CtF Rules Player Nodes Score’bot Polls player nodes, Looking for req. services If all services found...

4/23/ Basic Defcon CtF Rules Player Nodes Score’bot Polls player nodes, Looking for req. services If all services found, Score one point for the Flag currently on that node

4/23/ Basic Defcon CtF Rules Player Nodes Score’bot Polls player nodes, Looking for req. services If all services found, Score one point for the Flag currently on that node … while each team tries to replace others’ flags

4/23/ No Flooding DoS attacks are not interesting Explicit rule against flooding attacks –Game masters will make you stop if you are caught at it –Goal: ensure that all teams are actually able to play Penalties: –Kicked out for overt DoS attacks –Pay for bandwidth with a point penalty

4/23/ Area View

4/23/ Sporting Event Teams named funky colors Score obfuscated There was an official bookie :-) Score broadcast on hotel cable Immunix was white, hence “Weiss Labs”

4/23/ The Catch The required services are secret Only a few clues: –They supply us with a VMWare/Linux image reference distribution that provides all required services It is also riddled with vulnerabilities –The score’bot polls for the required services But the score’bot stops its poll if it finds something it doesn’t like

4/23/ The Reference Distribution Red Hat 6.2, unpatched nmap: shows nearly everything open –finger, POP, IMAP, SMTP, SNMP, Webmin... Apache running as root CGI’s for adduser and deleteuser –Anonymous can create a user login on your node –As any user number, including zero

4/23/ Example Services the Score’bot Wanted Create a user Send that user mail Finger the user POP in to fetch the mail Delete the user Note: no crypto protocols –No proper authentication of the score’bot –Must heuristically distinguish score’bot from attacks using behavior signatures

4/23/ Interesting Challenge Not just survive severe attack, but also –Protect bad code –A lot of it –Vague functional specification –Rapid deployment Great new game infrastructure from Ghettohackers –Interesting challenge –Engaging scoreboard

4/23/ Captain’s Meeting Explain the rules in detail Hand us the reference distribution

4/23/ Setting Up

4/23/ The Popular Strategy: Human Intrusion Detection Launch the reference Linux distribution Ad hoc patch as stuff happens Defend: –look for logins, I.e. non-score’bot behavior –kill them off ASAP –very labor-intensive

4/23/ The Immunix Strategy: Protect Bad Code with Immunix Tools Port all plausible services to Immunix 7+ distribution –Use our own fingerd, httpd, etc., up-to-date and compiled with StackGuard and FormatGuard –Run on an Immunix kernel with SubDomain and RaceGuard –Wrap vulnerable services & CGI’s with SubDomain profiles to limit access to least privilege necessary Launch only when we were reasonably confident that the Immunix machine was configured securely

4/23/ Dealing with Logins: the SubDomain Shim Change adduser CGI to use a special default shell: /bin/fubush –/bin/fubush is just a hard link to /bin/bash –Restrict /bin/fubush to only the operations needed by the score’bot Attackers can go ahead and create a login with uid 0 and it still won’t do them any good –They get a root shell, stuck in a tiny sandbox

4/23/ Immunix Team

4/23/ Immunix Team Me Chris Wright Seth Arnold Steve Beattie Plus 15 volunteers

4/23/ From Our Corner

4/23/ From Our Corner John Viega Me Chris Wright Seth Arnold Steve Beattie

4/23/ Mental Stress This is a tough game to play –Head-to-head competition with a lot of very smart people –Real-time, continuous The intensity of qualifying exams –That go on for 22 hours in a 48 hour period –… set in the middle of a rave Hydrate or die :-)

4/23/ Rave Loud music Smoking Gawkers Social engineering Periodic “news breaks”

4/23/ Our Strategic Error What We Did For first 4 hours –No server at all –Porting services to Immunix ASAP, based largely on nmap and source inspection Next 4 hours –Launch Immunix server –It’s secure, but is not making the score’bot happy Cost us massive points –Too focused on the science of “can we defend Immunix?” and not enough on the game rules What We Should Have Done Launch reference system immediately –Defend ad hoc like everyone else –Run network sniffer to determine what the score’bot wants Would have: –Put us over the top on points –Learned what score’bot wants much faster We eventually did this

4/23/ Immunix Server Not Up Yet 6 th place

4/23/ Once Immunix Server Up … in the Score’bot’s Opinion :) Our score quickly rose 2 nd place

4/23/ Once Immunix Server Up … in the Score’bot’s Opinion :) Close 2 nd place

4/23/ Once Immunix Server Up … in the Score’bot’s Opinion :) 1 st place Stayed there most of Saturday

4/23/ Late Saturday: New Service Requirement With 4 hours of play to go, the score’bot changed: now it wanted Webmin –Open source web-GUI for Linux administration –Competitor to WireX’s commercial server appliance software –Rather famously vulnerable :) Took us 2 hours Sunday morning to make the score’bot happy again –Lost our lead

4/23/ Some of Our Creative Attacks Lock Out the Owner Once we root the machine, install a back door Also replace root’s login shell with /sbin/halt –Owner can’t log in to their own machine –But we can Spam’bot Add user to their server User sends spam mail to all the other teams Costs them penalty points Penalties are per connection –Spam’bot sends 1-byte s

4/23/ Final Score: 2 nd Place

4/23/ Lesson: Symmetric Red Teaming Solves Rules Issues Everyone is both an attacker and defender Bad: everyone needs to learn how to attack Good: –Everyone should learn how attacks are done :-) –Rule fussing about how hard or easy it is for the attacker apply to all parties -> less fussing Ghettohackers have designed a great game –Looking for technology transfer to Government

4/23/ Lesson: Mandatory Access Control is Not Enough telnetd was a required service WireX never bothered to patch a vulnerability in telnetd for Immunix –Only idiots run telnetd :-) Someone hacked our telnetd –Didn’t get out of the SubDomain sandbox –Did make our telnetd stop working –Cost us a point that round General case: MAC protects your system, but not your individual services

4/23/ Lesson: Resource Management is a Security Attribute SubDomain confined attacker logins to only run prescribed code –Including PERL Attacker launched a PERL fork bomb –Consumed all of real and virtual memory –While our machine is thrashing, the score’bot passes us by –Costs us a point that round

4/23/ Lesson: Redundancy Helps When You Are Vulnerable Penetration attacks take a long time to recover –Must clean up state, find & fix vulnerability DoS attacks take a long time to recover –If machine crashes, must fsck file system; can take 10 minutes Hot spare can be on-line in seconds –Heterogeneous hot spare keeps attacker from immediately deploying the same attack

4/23/ Lesson: Redundancy is Resource-Constrained Must have humans on watch to clean up the compromised machine –The hot spare will not protect you for long Presumption that hot spare prevents repeat attacks assumes resource limit at the attacker’s end –If attacker has lots of exploits/resources, they will hack your heterogeneous server just as quickly We had a hot spare, but not enough of them

4/23/ Lesson: Immunix was Impenetrable, but not Incorruptible No one ever “flagged” the Immunix server –Others did plant enemy flags on our reference server (as expected) But they did hit the Immunix server hard enough to compromise availability –Take out one required service, and the score’bot doesn’t award a point –We missed first place by less than 4 points out of 55

4/23/ Immunix Secure Server Appliances Base: Immunix Secure OS –Appliances that defend themselves Turn-key installation: –WireX installer turns PC hardware into server appliance in 5 minutes –No technical skills required Graphical ease of use –WireX Secure Server Manager Web-GUI management system

4/23/

4/23/ Immunix Secure Server Solutions Partner with HP First product: Trend Micro Antivirus Mail scanner Websense content filter Secure Webmail Appliance –Customized for USTRANSCOM –Provides secure webmail access to Microsoft Exchange –Supports Microsoft Exchange/Outlook calendar events –Partner with Secure Computing All being demonstrated in our booth

4/23/ Summary WireX Immunix: –Secure Linux system with low overhead and administrative hassle Defcon fun: –Couldn’t crack Immunix –Integrated undocumented code into Immunix in 12 hours Available as –Secure Linux system –Turn-key secure server solutions