330 likes | 554 Views
20-771: Computer Security Lecture 6: Server Security, Unix. Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2000. Today’s lecture. Server Security Crashing machines and Stacheldraht! Break (10 min) Unix Server Unix Access Control
E N D
20-771: Computer SecurityLecture 6: Server Security, Unix Robert Thibadeau School of Computer Science Carnegie Mellon University Institute for eCommerce, Fall 2000
Today’s lecture • Server Security • Crashing machines and Stacheldraht! • Break (10 min) • Unix Server • Unix Access Control • Code to check SUID bits
This Week Chapters 6,7 WS
Server Side Security • Webjacking : Editing a page without your permission. • Stealing information. • Disabling your web site. • Authenticating Users, Authorizing Users
Why are Web Sites Vulnerable • Bugs in System Software • System Software is Incorrectly Configured • The Server Hardware isn’t Secure • Networks are Not Secure • Remote Authoring and Administration Tools Open Holes • Insider Threats are Overlooked
Bugs in System Software KOOPMAN DEMO • System self destructs and hardware lost • System self destructs and software/data lost • System crashes and needs reboot • Software crashes and needs restarting • Software runs slowly/non-responsively • Software does something not intended • Software “feature” a nuisance
The “Buffer Overrun” • Really a whole range of attacks : • A program is handed long arguments. Causes program to fail but leaves user with write-priviledges. • A program is handed arguments that are interpreted and therefore possible can be run. • Never use “exec” or “system” in cgi-bin • How common is it for a program/module to fail if given the wrong arguments? • Koopman.pdf
Denial of Service Large numbers of computers are recruited to create an attack Stacheldraht (Barbed Wire) first reported by David Dittrich University of Washington December 29, 1999 (basis for giant DoS in Jan 2000): • The Client: • The client connects to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken”. Attacker uses client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines. • The Master Server: • The master server handles all communication between client and agent programs. • The Agent: • The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.
Denial of Service II Large numbers of computers are recruited to create an attack Stacheldraht (Barbed Wire): • The Client: • Attacker uses client to manage Stacheldraht agents. • The Master Server: • The master server handles all communication between client and agent programs. • The Agent: • Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines. • The Attack: • Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines. • Where and How: • Stacheldraht agents were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". They are often witnessed "in the wild".
Stacheldraht Model Master Server A Client B Master Server B Client A AGENT N AGENT A First set up a bunch of master servers Set up thousands of agents Now say “march!” through any one or more of Your master servers. AGENT B YOU N YOU 1 YOU 2
Stacheldraht Commands! .distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server",using the account "user" (e.g., "rcp user@server:linux.bin ttymon") .help Prints a list of supported commands. .killall Kills all active agents. .madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims. .mdie Sends die request to all agents. .mdos Begins DoS attack. .micmp ip1[:ip2[:ipN]] Begin ICMP flood attack against specified hosts. .mlist List IP addresses of hosts being DoS attacked at the moment. .mping Pings all agents (bcasts) to see if they are alive. .msadd Adds a new master server (handler) to the list of available servers. .msort Sort out dead/alive agents (bcasts). (Sends pings and shows counts/percentage of dead/alive agents).
Stacheldraht Commands! 2 .mstop ip1[:ip2[:ipN]] .mstop all Stop attacking specific IP addresses, or all. .msrem Removes a master server (handler) from the list of availableservers. .msyn ip1[:ip2[:ipN]] Begin SYN flood attack against specified hosts. .mtimer seconds Set timer for attack duration. (No checks on this value.) .mudp ip1[:ip2[:ipN]] Begin UDP flood attack against specified hosts. (Trinoo DoS emulation mode.) .setisize Sets size of ICMP packets for flooding. (max:1024, default:1024). .setusize Sets size of UDP packets for flooding (max:1024 default:1024). .showalive Shows all "alive" agents (bcasts). .showdead Shows all "dead" agents (bcasts). .sprange lowport-highport Sets the range of ports for SYN flooding (defaults to lowport:0, highport:140).
SYN Floods • TCP Synchronization Handshake Attack • C-SYN S-SYN-ACK C-ACK (triple, but you stop at 2) • The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. • netstat -a -f inet • Too many connections in the state "SYN_RECEIVED" indicates that the system is being attacked.
If Staheldraht did that then … • What is going silently and without destruction? • Armies of agents? • Probably
Security Policy Components • Personnel • Access Levels • Authorization Procedures • Revocation of Authorization • Access Priviledges • Local Login • Network Login (never root!) • Authoring Access • Remote Server Administration • Browsing Access • CGI-Script Installation • Access to the /private directory
Security Policy Components • Personnel • Access Priviledges • Network Services • Web • FTP • Other (no other) • Maintanence • 24X7 • Backups
Setting up Unix • Apply vendor OS patches • Turn off unessential services • Add minimum number of user accounts • Make a back door for your self to do admin for awhile • Get the file and directory permissions right • NOW YOU CAN PUT UNIX ON THE INTERNET! • Lots of automated programs probe to get trojan horses on your machine and this can happen FAST!
Unix Access • User and Group Access Rights is the Basis for Unix Security • Read, Write, Execute on a file/directory/device • The biggest TCO (total cost of ownership) in a computer system is administering and working with access control. • Because things just don’t work until you get the access rights working properly • People think it is something wrong with the program when it is really just the security environment that is set wrong. • A GREAT REASON to REALLY LEARN YOUR ACCESS CONTROL SYSTEM!
Unix Access Protections • What has access protections u-rwx g-rwx o-rwx? • Files • Directories • Devices (/dev/) • Programs (must have execute bit set). • All these have ONE user and ONE group that owns them. • Each User is ONE user and ONE DEFAULT group but many group memberships. • Types of protections applied when creating/modifying • User : rwx (u-rwx, -rwx------, or 0700) • Group : rwx (g-rwx, ----rwx---, or 0070) – other members of user’s group • Other : rwx (o-rwx, -------rwx, or 0007) • A directory : d (d--------- -> set automatically by file system) • SGID : (-----s--- or 2000) inherit group protections • umask 002 : automatically let everybody in group rwx • Need private user group : user mary, group mary if umask 002 not 022. • A user can be a member of many groups but only the primary defaults to write unless directory permission is set to overcome user permission (sgid bit set on directory). • When access is provided to a group, every member gets it.
Unix Access Permission Model FILE / DIRECTORY / DEVICE / INODE User A - Group A 2 Other Execute 1 Group Write 2 Other Write 2 Group Execute 1 Set GUID 2 Group Read 4 Other Read 4 Set Sticky 1 User Write 2 Set UserID 4 User Read 4 User Execute 1 1 4 2 OTHER GROUP A GROUP C USER C Group A USER B Group B GROUP B USER A Group A
Special Bits do ONE thing eachdrwsrwsrwt • 4 Set User ID : causes an executable file (a program) to go into the access permissions of the owner of the file (note, group or OTHER could execute it!) not the person executing it. • 2 Set Group ID : causes a new file that is being created in a directory to have the group ID of the directory, not the person (User) that is creating the file. • 1 Sticky Bit : Causes a new file that is being created in a directory to not be deletable by just anybody in that directory but by the user who created the file.
Seeing Who you Pretend to Be. • #!/bin/sh #idinfo: Print user informationecho " effective user-ID:" id -un echo " real user-ID:" id -unr echo " group ID:" id -gn
Set User ID Test • /*suidtest.c*/ #include <stdio.h> #include <unistd.h> int main(){ /*secure SUID programs MUST *not trust any user input or environment variable!! */ char *env[]={"PATH=/bin:/usr/bin",NULL}; char prog[]="/home/alice/idinfo"; if (access(prog,X_OK)){ fprintf(stderr,"ERROR: %s not executable\n",prog); exit(1); } printf("running now %s ...\n",prog); execle(prog,(const char*)NULL,env); perror("suidtest"); return(1); }
More on SUID • gcc -o suidtest -Wall suidtest.c • chmod 4755 suidtest OR • chmod u+s suidtest • ls –l suidtest • suidtest idtest • Set-UID programs are often used by "root" to give ordinary users access to things that normally only "root" can do. As root you can e.g modify the suidtest.c to allow any user to run the ppp-on/ppp-off scripts on your machine. • Note: It is possible to switch off Suid when mounting a file system. If the above does not work then check your /etc/fstab. It should look like this:/dev/hda5 / ext2 defaults 1 1 If you find the option "nosuid" there then this Suid feature is switched off. For details have a look at the man-page of mount.
SUID User Bit • If root owns the file with s-bit set. Any user can then do things that normally only root can do. • A few words on security. • When you write a SUID program then you must make sure that it can only be used for the purpose that you intended it to be used. • Always set the path to a hard-coded value. • Never rely on environment variables or functions that use environment variables. • Never trust user input (config files, command line arguments....). Careful on BUFFER OVERFLOWAAA…! • Check user input byte for byte and compare it with values that you consider valid.
umask • Applies only when you are creating a file (directory, device…) • 022 is the general default : only you can write a file but everybody else can read and execute it. It is a mask on the file settings given by environment. • 002 lets everybody in your group write the file. • 000 lets everybody write the file. • 277 lets only you read and execute (safety) • Just type “umask 277” in a shell window and now when you make a file, it will have these attributes.
P3P • Client makes any first http request • Server includes in its http response header a pointer to its p3p policyref (policy reference page). • Client MAY now check the p3p policyref before proceeding to any next interaction with the server. • Method is to apply APPEL rules. • Each APPEL rule looks at a part of the policyref and decides to ACCEPT, REJECT, INFORM or WARN the person.
POLICY EXTENSION (EXT) Who is the organization? EXT ENTITY DATA-GROUP EXT DISPUTES EXTENSION DISPUTES-GROUP If Privacy violated? ACCESS What info can you, as a user, access --.e.g, your retirement balance? STATEMENT What privacy do they promise and about what? EXT DATASCHEMA Special data representations, car.year.model P3P XML Tree
P3P Summary other/ location/ physical/ law/ money/ correct/ CATEGORIES/ online/ content/ uniqueid/ REMEDIES state/ purchase/ political/ financial/ DISPUTES law/ navigation/ health/ Service/ computer/ interactive/ preference/ resolution-type IMG Independent/ demographic/ court/ none ACCESS All/ PURPOSE/ current/ Contact_and_other/ customization/ admin/ Other_ident/ Contact/ Nonident/ develop/ Ident_contact/ Other-purpose/ Targeting/ ours/ profiling/ RECIPIENT/ same/ Legal-requirement/ RETENTION/ Other-recipient/ Business-practices/ delivery/ unrelated/ public/ indefinitely/ No-retention/ Stated-purpose/
APPEL Rules • If you are taking my name and the recipient is “other recipient” maybe I want to reject. • If you are taking my name and the recipient is “other recipient” but there is extended text (the machine can’t read this – only know it is there) then maybe I WARN and put this text in the warning window.