I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

Similar documents
I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

Secure Programming II. Steven M. Bellovin September 29,

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Web Servers and Security

Architecture. Steven M. Bellovin October 31,

Architecture. Steven M. Bellovin October 27,

Program Structure I. Steven M. Bellovin November 14,

Case Study: Access Control. Steven M. Bellovin October 4,

Web Servers and Security

Program Structure. Steven M. Bellovin April 3,

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Program Structure I. Steven M. Bellovin November 8,

Keys and Passwords. Steven M. Bellovin October 17,

CSE 565 Computer Security Fall 2018

Case Studies in Access Control

Least-Privilege Isolation: The OKWS Web Server

Security Architecture

Access Control. Steven M. Bellovin September 13,

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

Access Control. Steven M. Bellovin September 2,

Secure Architecture Principles

Chapter 1 - Introduction. September 8, 2016

CSE543 - Introduction to Computer and Network Security

CS 161 Computer Security. Design Patterns for Building Secure Systems

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Advanced System Security: Vulnerabilities

Confinement. Steven M. Bellovin November 1,

Advanced Systems Security: Ordinary Operating Systems

Secure Programming I. Steven M. Bellovin September 28,

OS Security III: Sandbox and SFI

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

ONLamp.com: Secure Programming Techniques

Advanced Systems Security: Ordinary Operating Systems

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Writing Safe Setuid Programs. Theme

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Operating system security models

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Analyzing Systems. Steven M. Bellovin November 26,

Secure Software Programming and Vulnerability Analysis

Process Time. Steven M. Bellovin January 25,

Computer Security Spring 2010 Paxson/Wagner Notes 1/29. Patterns for Building Secure Software. 1 The Trusted Computing Base (TCB)

Confinement (Running Untrusted Programs)

Computer Security. 04. Injection Attacks & application confinement. Paul Krzyzanowski. Rutgers University. Spring 2018

OS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Review of Fundamentals. Todd Kelley CST8207 Todd Kelley 1

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Cross-platform daemonization tools.

CMSC 414 Computer and Network Security

SysSec. Aurélien Francillon

(In columns, of course.)

Process Management 1

Creating a Shell or Command Interperter Program CSCI411 Lab

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Linux Systems Security. Security Design NETS Fall 2016

Introduction Variables Helper commands Control Flow Constructs Basic Plumbing. Bash Scripting. Alessandro Barenghi

Process Management! Goals of this Lecture!

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

Software Security and Exploitation

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

VFS, Continued. Don Porter CSE 506

System Structure. Steven M. Bellovin December 14,

CS 161 Computer Security

The Classical OS Model in Unix

CS 356 Systems Security Spring 2015

Operating Systems Design Fall 2010 Exam 1 Review. Paul Krzyzanowski

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

CHAPTER 2. Troubleshooting CGI Scripts

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CS 380S. TOCTTOU Attacks. Don Porter. Some slides courtesy Vitaly Shmatikov and Emmett Witchel. slide 1

System Programming. Introduction to Unix

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Midterm Exam CPS 210: Operating Systems Spring 2013

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

C and C++ Secure Coding 4-day course. Syllabus

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files. Compiler vs.

CSE 565 Computer Security Fall 2018

File System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1

Unix Basics. UNIX Introduction. Lecture 14

Securing Unix Filesystems - When Good Permissions Go Bad

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Lab #2 Physics 91SI Spring 2013

Complex Access Control. Steven M. Bellovin September 10,

Exploiting Unix File-System Races via Algorithmic Complexity Attacks

Secure Architecture Principles

Design Overview of the FreeBSD Kernel CIS 657

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Non-atomic check and use aka TOCTOU (Time of Check, Time of Use) or race conditions. Erik Poll Digital Security group Radboud University Nijmegen

Fundamentals of Computer Security

Secure Architecture Principles

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

CSC209 Review. Yeah! We made it!

bash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1

Review of Fundamentals. Todd Kelley CST8207 Todd Kelley 1

Transcription:

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20, 2007 1

Special Techniques for Secure Programs Buffer overflows are bad in any case Some problems are only a risk for secure programs But what is a secure program? A secure program is one that runs with one set of permissions and accepts input from somone with lesser permissions Includes most network servers and setuid programs, and many system daemons Steven M. Bellovin February 20, 2007 2

SetUID Programs Are More Sensitive Anyone on the local machine can invoke them Many environmental influences that can be controlled by the invoker On the other hand, network daemons can be accessed remotely Steven M. Bellovin February 20, 2007 3

Macro Injection Attacks Suppose a program is querying an SQL database based on valid userid and query string: sprintf(buf, "select where user=\"\%s\" && query=\"%s\"", uname, query); What if query is foo" user="root The actual command passed to SQL is select where user="uname" && query = "foo" user="root" This will retrieve records it shouldn t have Stored SQL procedures are much safer Steven M. Bellovin February 20, 2007 4

What Was Wrong with That Slide? Steven M. Bellovin February 20, 2007 5

Did You Notice? I wrote sprintf instead of snprintf I was mostly trying to save room on a complex slide I was also curious to see who d notice... Steven M. Bellovin February 20, 2007 6

More Generally If you invoke an external program, be aware of its parsing rules Especially serious for languages like Shell, Perl, and Python, where data can be converted to statements and executed Example: what delimits different arguments to the shell? Blank, tab, newline? Why? Steven M. Bellovin February 20, 2007 7

IFS The shell variable IFS lists the delimiters used when parsing command lines If you can change it, you can control the shell s parsing (The exact effects are subtle, because of the risks of just accepting it blindly know your semantics!) Steven M. Bellovin February 20, 2007 8

Other Sensitive Environment Variables PATH Search path for finding commands If. is first,, you ll execute a command in the current directory. What if it s booby-trapped? Secure programs should always use absolute paths or reset PATH ENV With some shells, a file to execute on startup LD LIBRARY PATH The search path for shared libraries LD PRELOAD Extra modules loaded at runtime Some of these are disabled for setuid programs, to minimize the risks Steven M. Bellovin February 20, 2007 9

File Descriptors Normally, file descriptor 0 is stdin, 1 is stdout, and 2 is stderr The open() system call allocates the first available file descriptor, starting from 0 Suppose you close fd 1, then invoke a setuid program that will open some sensitive file for output Anything it prints to stdout will overwrite that file Similar tricks for fd 0 Steven M. Bellovin February 20, 2007 10

Some Other Inherited Attributes current directory root directory resource limits umask timers signal mask open files Current uid Effective uid see chroot() see getrlimit() see getitimer() See the FIOCLEX option to ioctl Steven M. Bellovin February 20, 2007 11

Why Do These Matter? Will such a program misbehave? Will it core dump after having read a sensitive file? (Some systems prevent core dumps of setuid programs.) If the program terminates prematurely, will it leave some crucial resource locked? Steven M. Bellovin February 20, 2007 12

Access Control Some privileged programs need to read or write user-specified files Example: web server (remote), lpr (setuid) Very tricky... Steven M. Bellovin February 20, 2007 13

Remote Access Control Don t want to offer all system files to, say, web users Operating system doens t help too many files are world-readable Web server must implement its own access control Several different levels Steven M. Bellovin February 20, 2007 14

Filename Parsing User supplies pathname; application must check for validity Administrator specifies list of accessible files and/or directories Sometimes, wildcards *,?, and more are permitted Application must parse supplied filename Remarkably difficult Steven M. Bellovin February 20, 2007 15

The.. Problem Attackers try to get at other files Simplest attack: put.. in the path http://example.com/../../../../etc/passwd The.. can occur later: http://example.com/a/b/../../../../etc/passwd If directory /dir is legal, what about /dir/../dir/file? Do you want to count levels? Watch out for /dir///../../file replicated / s counts as a single one Steven M. Bellovin February 20, 2007 16

Application Syntax Issues Applications can have their own weird syntax Example: in URLs, %xx can specify two hex digits for the character. %2F is the same as / When is that expanded? Steven M. Bellovin February 20, 2007 17

Unicode Standard for representing (virtually) all of the world s scripts There are proposals for Klingon and Tengwar ( Elvish ) codepoints Many problems! Some symbols look the same, but have different values: ordinary / technically called solidus is U+002F, but U+2044, fraction slash, looks the same Combining characters and grapheme joiners make life even more complicated. Thus, á can be U+00C1 or the two-character sequence U+0041,U+0301 Comparison rules have to be application-dependent and watch out for false visual equivalences; these have already been used for attacks, especially with Cyrillic domain names Steven M. Bellovin February 20, 2007 18

Operating Systems Don t Have Such Problems Conceptually, you re trying to permit certain subtrees. The application is trying to map a string into a subtree The OS has one mapping function; the application has another The OS doesn t care about the tree structure for access control; it uses its own mechanisms The OS stores permissions with the data; no separate parse is needed Steven M. Bellovin February 20, 2007 19

File Access by SetUID Programs Some commands lpr, for example need to write to restricted places, but also read users files Need permissions to write to spool directory; need user permissions to read users files How can this be done? Steven M. Bellovin February 20, 2007 20

First Attempt: Access() System Call if (access(file, R_OK) == 0) { fd = open(file, O_RDONLY); ret = read(fd, buf,s sizeof buf);... } else { perror(file); return -1; } What s wrong? Steven M. Bellovin February 20, 2007 21

Several Problems Only useful if setuid root other UIDs can t open read-protected files. (I didn t check the return code on the open() call... ) Race conditions Generic name: TOCTTOU (Time of Check to Time of Use) Steven M. Bellovin February 20, 2007 22

Race Conditions There is a window between the access() call and the open() call The attack program can create a link to a readable file, invoke lpr in the background, then remove the link and replace it with a link to a protected file The probability of success is low but not zero and the attacker only has to win once Steven M. Bellovin February 20, 2007 23

Temporary Files The same attack can happen on files in /tmp The standard C library subroutine mktemp() is vulnerable to this Alternatives: mkstemp() or mktemp() with the O CREAT O EXCL flags to open() Caution: if open() is used that way, generate a new template if EEXIST is returned Steven M. Bellovin February 20, 2007 24

Shedding SetUID A setuid program can give up and then regain its setuid status: save_uid = geteuid(); setuid(getuid()); fd = open(file, O_RDONLY); seteuid(save_uid); Better alternative: run unprivileged most of the time, but assume setuid status only when doing privileged operations But watch for SIGINT, buffer overflows; injected code can reassume privileges, too Steven M. Bellovin February 20, 2007 25

Lock Directories Have a parent directory that s mode 700, and a 777 subdirectory While privileged, do a chdir() to the subdirectory Give up privileges; write files in this subdirectory Steven M. Bellovin February 20, 2007 26

Use a Subprocess Fork, and have a subprocess open the user s files Option 1: copy the file contents to the parent process over a pipe safe but slow Option 2: send the file descriptor via sendmsg()/recvmsg() over a Unix-domain socket Steven M. Bellovin February 20, 2007 27

Issues with Message-Passing Systems File-opening permissions Authentication Other issues? Steven M. Bellovin February 20, 2007 28

Opening Files How does the server open a private file? Two ways... The client opens the file and passes the open file descriptor The client sends some sort of access right a capability to the server Steven M. Bellovin February 20, 2007 29

Authentication Who is allowed to send messages to the server? How does the server know the client s identity? Two solutions: support from the OS or cryptographic authentication Steven M. Bellovin February 20, 2007 30

Other Issues? The buggy code problem doesn t go away It s very similar to the network security problem; it hasn t been solved, either Steven M. Bellovin February 20, 2007 31

The Fundamental Problem The real issue: interaction To be secure, a program must minimize interactions with the outside All interactions must be controlled Steven M. Bellovin February 20, 2007 32

RASQ RASQ: Relative Attack Surface Quotient Microsoft metric of how vulnerable an application is Roughly speaking, it measures how many input channels it has Must reduce RASQ Steven M. Bellovin February 20, 2007 33

Not All Channels Are Equal Some channels are easier to exploit Some are more accessible to attackers Some have a bad track record Steven M. Bellovin February 20, 2007 34

RASQ Examples Weak ACLs on shared files:.9 names are generally known; easy to attack remotely Weak ACLs on local files:.2 only useful to attacker after initial compromise Open sockets: 1.0 potential target Steven M. Bellovin February 20, 2007 35

Generic Defenses Better OS What s a secure OS? One that makes it easy to write secure programs Most don t qualify... Steven M. Bellovin February 20, 2007 36

Minimize Chances for Mistakes Eliminate unnecessary interactions Example: per-process or per-user /tmp Avoid error-prone primitives Tight specification of input and environment and check that it s all true Steven M. Bellovin February 20, 2007 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback