1 / 35

20-771: Computer Security Lecture 5: Server Security, Unix

20-771: Computer Security Lecture 5: Server Security, Unix. Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2002. Today’s lecture. Server Security Crashing machines and Stacheldraht! Break (10 min) Unix Server Unix Access Control

yule
Download Presentation

20-771: Computer Security Lecture 5: Server Security, Unix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 20-771: Computer SecurityLecture 5: Server Security, Unix Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2002

  2. Today’s lecture • Server Security • Crashing machines and Stacheldraht! • Break (10 min) • Unix Server • Unix Access Control • Code to check SUID bits

  3. Sept 11 Presentation

  4. This Week Chapters 4,5 WS

  5. Server Side Security • Webjacking : Editing a page without your permission. • Stealing information. • Disabling your web site. • Authenticating Users, Authorizing Users

  6. Why are Web Sites Vulnerable • Bugs in System Software • System Software is Incorrectly Configured • The Server Hardware isn’t Secure • Networks are Not Secure • Remote Authoring and Administration Tools Open Holes • Insider Threats are Overlooked

  7. Bugs in System Software • System self destructs and hardware lost • System self destructs and software/data lost • System crashes and needs reboot • Software crashes and needs restarting • Software runs slowly/non-responsively • Software does something not intended • Software “feature” a nuisance

  8. The “Buffer Overrun” • Really a whole range of attacks : • A program is handed long arguments. Causes program to fail but leaves user with write-priviledges. • A program is handed arguments that are interpreted and therefore possible can be run. • Never use “exec” or “system” in cgi-bin • How common is it for a program/module to fail if given the wrong arguments? • Koopman.pdf

  9. Koopman 2000 DataBUFFER OVERUNS LIVE ON!

  10. Denial of Service Large numbers of computers are recruited to create an attack Stacheldraht (Barbed Wire) first reported by David Dittrich University of Washington December 29, 1999 (basis for giant DoS in Jan 2000): • The Client: • The client connects to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken”. Attacker uses client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines. • The Master Server: • The master server handles all communication between client and agent programs. • The Agent: • The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

  11. Denial of Service II Large numbers of computers are recruited to create an attack Stacheldraht (Barbed Wire): • The Client: • Attacker uses client to manage Stacheldraht agents. • The Master Server: • The master server handles all communication between client and agent programs. • The Agent: • Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines. • The Attack: • Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines. • Where and How: • Stacheldraht agents were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". They are often witnessed "in the wild".

  12. Stacheldraht Model Master Server A Master Server B Client AGENT N AGENT A First set up a bunch of master servers Set up thousands of agents Now say “march!” through any one or more of Your master servers. AGENT B YOU N YOU 1 YOU 2

  13. Stacheldraht Commands! .distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server",using the account "user" (e.g., "rcp user@server:linux.bin ttymon") .help Prints a list of supported commands. .killall Kills all active agents. .madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims. .mdie Sends die request to all agents. .mdos Begins DoS attack. .micmp ip1[:ip2[:ipN]] Begin ICMP flood attack against specified hosts. .mlist List IP addresses of hosts being DoS attacked at the moment. .mping Pings all agents (bcasts) to see if they are alive. .msadd Adds a new master server (handler) to the list of available servers. .msort Sort out dead/alive agents (bcasts). (Sends pings and shows counts/percentage of dead/alive agents).

  14. Stacheldraht Commands! 2 .mstop ip1[:ip2[:ipN]] .mstop all Stop attacking specific IP addresses, or all. .msrem Removes a master server (handler) from the list of availableservers. .msyn ip1[:ip2[:ipN]] Begin SYN flood attack against specified hosts. .mtimer seconds Set timer for attack duration. (No checks on this value.) .mudp ip1[:ip2[:ipN]] Begin UDP flood attack against specified hosts. (Trinoo DoS emulation mode.) .setisize Sets size of ICMP packets for flooding. (max:1024, default:1024). .setusize Sets size of UDP packets for flooding (max:1024 default:1024). .showalive Shows all "alive" agents (bcasts). .showdead Shows all "dead" agents (bcasts). .sprange lowport-highport Sets the range of ports for SYN flooding (defaults to lowport:0, highport:140).

  15. SYN Floods • TCP Synchronization Handshake Attack • C-SYN S-SYN-ACK C-ACK (triple, but you stop at 2) • The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. • netstat -a -f inet • Too many connections in the state "SYN_RECEIVED" indicates that the system is being attacked.

  16. If Staheldraht did that then … • What is going silently and without destruction? • Armies of agents? • Probably

  17. Break!

  18. Security Policy Components • Personnel • Access Levels • Authorization Procedures • Revocation of Authorization • Access Priviledges • Local Login • Network Login • Authoring Access • Remote Server Administration • Browsing Access • CGI-Script Installation • Access to the /private directory

  19. Security Policy Components • Personnel • Access Priviledges • Network Services • Web • FTP • Other (no other) • Maintanence • 24X7 • Backups

  20. Setting up Unix • Apply vendor OS patches • Turn off unessential services • Add minimum number of user accounts • Make a back door for your self to do admin for awhile • Get the file and directory permissions right • NOW YOU CAN PUT UNIX ON THE INTERNET! • Lots of automated programs probe to get trojan horses on your machine and this can happen FAST! • Fastest we’ve seen in Computer Science: 11 Minutes and we had to rebuild the machine.

  21. Unix Access • User and Group Access Rights is the Basis for Unix Security • Read, Write, Execute on a file/directory/device • The biggest TCO (total cost of ownership) in a computer system is administering and working with access control. • Because things just don’t work until you get the access rights working properly • People think it is something wrong with the program when it is really just the security environment that is set wrong. • A GREAT REASON to REALLY LEARN YOUR ACCESS CONTROL SYSTEM!

  22. Unix Access Protections • What has access protections u-rwx g-rwx o-rwx? • Files • Directories • Devices (/dev/) • Programs (must have execute bit set). • All these have ONE user and ONE group that owns them. • Each User is ONE user and ONE DEFAULT group but many group memberships. • Types of protections applied when creating/modifying • User : rwx (u-rwx, -rwx------, or 0700) • Group : rwx (g-rwx, ----rwx---, or 0070) – other members of user’s group • Other : rwx (o-rwx, -------rwx, or 0007) • A directory : d (d--------- -> set automatically by file system) • SGID : (-----s--- or 2000) inherit group protections • umask 002 : automatically let everybody in group rwx • Need private user group : user mary, group mary if umask 002 not 022. • A user can be a member of many groups but only the primary defaults to write unless directory permission is set to overcome user permission (sgid bit set on directory). • When access is provided to a group, every member gets it.

  23. Unix Access Permission Model FILE / DIRECTORY / DEVICE / INODE User A - Group A 2 Other Execute 1 Group Write 2 Other Write 2 Group Execute 1 Set GUID 2 Group Read 4 Other Read 4 Set Sticky 1 User Write 2 Set UserID 4 User Read 4 User Execute 1 1 4 2 OTHER GROUP A GROUP C USER C Group A USER B Group B GROUP B USER A Group A

  24. Special Bits do ONE thing eachdrwsrwsrwt • 4 Set User ID : causes an executable file (a program) to go into the access permissions of the owner of the file (note, group or OTHER could execute it!) not the person executing it. SUID to root is dangerous. • 2 Set Group ID : causes a new file that is being created in a directory to have the group ID of the directory, not the default group of the person (User) that is creating the file. • 1 Sticky Bit : Causes a new file that is being created in a directory to not be deletable by just anybody in that directory but by the user who created the file.

  25. Seeing Who you Pretend to Be. • #!/bin/sh #idinfo: Print user informationecho " effective user-ID:" id -un echo " real user-ID:" id -unr echo " group ID:" id -gn

  26. Set User ID Test • /*suidtest.c*/ #include <stdio.h> #include <unistd.h> int main(){ /*secure SUID programs MUST *not trust any user input or environment variable!! */ char *env[]={"PATH=/bin:/usr/bin",NULL}; char prog[]="/home/alice/idinfo"; if (access(prog,X_OK)){     fprintf(stderr,"ERROR: %s not executable\n",prog);     exit(1); } printf("running now %s ...\n",prog); execle(prog,(const char*)NULL,env); perror("suidtest"); return(1); }

  27. More on SUID • gcc -o suidtest -Wall suidtest.c • chmod 4755   suidtest OR • chmod u+s   suidtest • ls –l suidtest • suidtest idtest • Set-UID programs are often used by "root" to give ordinary users access to things that normally only "root" can do. As root you can e.g modify the suidtest.c to allow any user to run the ppp-on/ppp-off scripts on your machine. • Note: It is possible to switch off Suid when mounting a file system. If the above does not work then check your /etc/fstab. It should look like this:/dev/hda5 / ext2 defaults 1 1 If you find the option "nosuid" there then this Suid feature is switched off. For details have a look at the man-page of mount.

  28. SUID User Bit • If root owns the file with s-bit set. Any user can then do things that normally only root can do. • A few words on security. • When you write a SUID program then you must make sure that it can only be used for the purpose that you intended it to be used. • Always set the path to a hard-coded value. • Never rely on environment variables or functions that use environment variables. • Never trust user input (config files, command line arguments....). Careful on BUFFER OVERFLOWAAA…! • Check user input byte for byte and compare it with values that you consider valid.

  29. umask • Applies only when you are creating a file (directory, device…) • 022 is the general default : only you can write a file but everybody else can read and execute it. It is a mask on the file settings given by environment. • 002 lets everybody in your group write the file. • 000 lets everybody write the file. • 277 lets only you read and execute (safety) • Just type “umask 277” in a shell window and now when you make a file, it will have these attributes.

  30. Unix Access Control is • VERY SIMPLE! Only four sets of three bits for any file or directory (or device) • You are you, a member of a default group, and a member of N other groups. • You have a umask which limits the access to any file or directory you create. • Three of the four sets of three bits are read-write-execute for you, ONE group—usually your default, and others (anybody else) • One is 3 special bits with special purposes that let • an executable do things you can’t do, • let you work with a group in a group directory, and • let you let a group read and write but they can’t delete your file (modify only).

  31. Unix Access Model

  32. P3P : Personal Info Privacy • www.w3.org/p3p yuan.ecom.cmu.edu/privacy p3p.jrc.it – JAVA CODE • Client makes any first http request • Server includes in its http response header a pointer to its p3p policyref (policy reference page). • Client MAY now check the p3p policyref before proceeding to any next interaction with the server. • Method is to apply APPEL rules. • Each APPEL rule looks at a part of the policyref and decides to ACCEPT, REJECT, INFORM or WARN the person.

  33. POLICY EXTENSION (EXT) Who is the organization? EXT ENTITY DATA-GROUP EXT DISPUTES EXTENSION DISPUTES-GROUP If Privacy violated? ACCESS What info can you, as a user, access --.e.g, your retirement balance? STATEMENT What privacy do they promise and about what? EXT DATASCHEMA Special data representations, car.year.model P3P XML Tree

  34. P3P Summary other/ location/ physical/ law/ money/ correct/ CATEGORIES/ online/ content/ uniqueid/ REMEDIES state/ purchase/ political/ financial/ DISPUTES law/ navigation/ health/ Service/ computer/ interactive/ preference/ resolution-type IMG Independent/ demographic/ court/ none ACCESS All/ PURPOSE/ current/ Contact_and_other/ customization/ admin/ Other_ident/ Contact/ Nonident/ develop/ Ident_contact/ Other-purpose/ Targeting/ ours/ profiling/ RECIPIENT/ same/ Legal-requirement/ RETENTION/ Other-recipient/ Business-practices/ delivery/ unrelated/ public/ indefinitely/ No-retention/ Stated-purpose/

  35. APPEL Rules • If you are taking my name and the recipient is “other recipient” maybe I want to reject. • If you are taking my name and the recipient is “other recipient” but there is extended text (the machine can’t read this – only know it is there) then maybe I WARN and put this text in the warning window.

More Related