Cyber Security. General Unix Security

Similar documents
Internet Security General Unix Security

CSC 405 Computer Security Linux Security

Data Security and Privacy. Unix Discretionary Access Control

Processes are subjects.

Processes are subjects.

Introduction to Computer Security

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Operating System Security

CSE 565 Computer Security Fall 2018

Secure Software Programming and Vulnerability Analysis

Secure Architecture Principles

Information Security CS 526

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

PROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)

OS Security III: Sandbox and SFI

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Secure Architecture Principles

Operating System Structure

CS 326: Operating Systems. Process Execution. Lecture 5

Race Condition Vulnerability Lab

CSE 265: System and Network Administration

ISA564 SECURITY LAB. Code Injection Attacks

System Programming. Introduction to Unix

Processes. CS3026 Operating Systems Lecture 05

User Management. René Serral-Gracià Xavier Martorell-Bofill 1. May 26, Universitat Politècnica de Catalunya (UPC)

CIS 5373 Systems Security

Shellbased Wargaming

Processes. Johan Montelius KTH

Secure Architecture Principles

Operating system security

A process. the stack

Secure Architecture Principles

CSE506: Operating Systems CSE 506: Operating Systems

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

IS 2150 / TEL 2810 Information Security and Privacy

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Operating Systems. Copyleft 2005, Binnur Kurt

Operating Systems 3. Operating Systems. Content. What is an Operating System? What is an Operating System? Resource Abstraction and Sharing

CSE506: Operating Systems CSE 506: Operating Systems

Datasäkerhet/Data security EDA625 Lect5

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

The Classical OS Model in Unix

Noorul Islam College Of Engineering, Kumaracoil MCA Degree Model Examination (October 2007) 5 th Semester MC1642 UNIX Internals 2 mark Questions

Perl and R Scripting for Biologists

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

CPSC 341 OS & Networks. Processes. Dr. Yingwu Zhu

Secure Programming Learning objectives. and Best Practices. Windows shells Launches programs, including other shells Provides

Secure Programming. Shell and Environment Flaws. Ahmet Burak Can Hacettepe University

CSCE Operating Systems Interrupts, Exceptions, and Signals. Qiang Zeng, Ph.D. Fall 2018

Introduction to OS Processes in Unix, Linux, and Windows MOS 2.1 Mahmoud El-Gayyar

ENGR 3950U / CSCI 3020U Midterm Exam SOLUTIONS, Fall 2012 SOLUTIONS

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

(In columns, of course.)

Confinement (Running Untrusted Programs)

20: Exploits and Containment

PROCESS MANAGEMENT. Operating Systems 2015 Spring by Euiseong Seo

Operating system security models

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

INSE 6130 Operating System Security. Overview of Design Principles

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

INSE 6130 Operating System Security

Secure Architecture Principles

Introduction. Let s start with the first set of slides

Systems Programming/ C and UNIX

CS 5460/6460 Operating Systems

O/S & Access Control. Aggelos Kiayias - Justin Neumann

File Systems. What do we need to know?

Department of Computer Science and Technology, UTU 2014

The landscape. File hierarchy overview. A tree structure of directories The directory tree is standardized. But varies slightly among distributions

UNIX Kernel. UNIX History

PROCESSES. Jo, Heeseung

Processes. Jo, Heeseung

ADVANCED OPERATING SYSTEMS

Advanced Systems Security: Ordinary Operating Systems

Processes. What s s a process? process? A dynamically executing instance of a program. David Morgan

Operating Systems. II. Processes

CMPS 105 Systems Programming. Prof. Darrell Long E2.371

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

The Kernel. wants to be your friend

OS security mechanisms:

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

CSE 509: Computer Security

CIS 5373 Systems Security

LAB #7 Linux Tutorial

3/7/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Race Conditions. Concurrency

CSE 451: Operating Systems Winter Module 4 Processes. Mark Zbikowski Allen Center 476

bash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1

Process management. What s in a process? What is a process? The OS s process namespace. A process s address space (idealized)

Answers to Even- Numbered Exercises

Introduction to UNIX/LINUX Security. Hu Weiwei

Security Architecture

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Introduction to Security

CSE 565 Computer Security Fall 2018

Unix Processes. What is a Process?

Discretionary Access Control

Chapter 5: User Management. Chapter 5 User Management

UNIT I Linux Utilities

Linux System Administration

Transcription:

Cyber Security Adrian Dabrowski Markus Kammerstetter Georg Merzdoznik Stefan Riegler General Unix Security Cyber Security FH Campus 1

Overview OS layers / ring separation system calls vulnerabilities Unix security users groups processes authentication Shell attacks resource limits signals libraries Cyber Security FH Campus 4

Unix Multi-user operating system Operating system functionality process management (virtual) memory management file system management I/O management Structure operating system kernel user-space programs (daemons, applications, shell) Cyber Security FH Campus 5

Unix Kernel provides an hardware abstraction layer for user-space programs complete access to all (physical) resources trusted computing base provides services via system calls System call performs a transition from user mode to privileged (kernel) mode this crosses the border between two security domains usually implemented with hardware (processor) support processor interrupt x86 call gates Cyber Security FH Campus 6

Unix System call performs a transition from user mode to privileged (kernel) mode User: CPU ring 3 code: ba 0d 00 00 00 mov $0xd,%edx code + 0x05: 8b 0d 10 a0 04 08 mov 0x804a010,%ecx code + 0x0b: bb 01 00 00 00 mov $0x1,%ebx code + 0x10: b8 04 00 00 00 mov $0x4,%eax code + 0x15: cd 80 int $0x80 Kernel: CPU ring 0 Complete access to everything fwrite to file code + 0x17: bb 01 00 00 00 mov $0x1,%ebx Cyber Security FH Campus 7

Unix System call performs a transition from user mode to privileged (kernel) mode User: CPU ring 3 code: ba 0d 00 00 00 mov $0xd,%edx code + 0x05: 8b 0d 10 a0 04 08 mov 0x804a010,%ecx code + 0x0b: bb 01 00 00 00 mov $0x1,%ebx code + 0x10: b8 04 00 00 00 mov $0x4,%eax code + 0x15: cd 80 int $0x80 Kernel: CPU ring 0 Complete access to everything fwrite to file code + 0x17: bb 01 00 00 00 mov $0x1,%ebx Cyber Security FH Campus 8

Unix System call performs a transition from user mode to privileged (kernel) mode User: CPU ring 3 code: ba 0d 00 00 00 mov $0xd,%edx code + 0x05: 8b 0d 10 a0 04 08 mov 0x804a010,%ecx code + 0x0b: bb 01 00 00 00 Input validation mov $0x1,%ebx problem: code + 0x10: b8 04 00 00 00 mov $0x4,%eax - user vs. kernel pointers code + 0x15: cd 80 int $0x80 Kernel: CPU ring 0 Complete access to everything fwrite to file code + 0x17: bb 01 00 00 00 mov $0x1,%ebx Cyber Security FH Campus 9

Unix Kernel vulnerability usually leads to complete system compromise attacks performed via system calls Solaris / NetBSD call gate creation input validation problem malicious input when creating a LDT (x86 local descriptor table) used by Last Stage of Delirium to win Argus System's Pitbull competition Kernel Integer Overflows FreeBSD procfs code Linux brk() Linux setsockopt() Linux Memory Management mremap() and munmap() kprobes setup Cyber Security FH Campus 10

Unix Device driver code is particularly vulnerable (most) drivers run in kernel mode either kernel modules or compiled-in often not well audited very large code based compared to core services Examples aironet, asus_acpi, decnet, mpu401, msnd, and pss all in one month found by sparse (tool developed by Linus Torvalds) annotation-based, static (compile-time) analysis tool check (user vs. kernel) pointers check locks Madwifi remote DOS Cyber Security FH Campus 11

Unix Code running in user mode is always linked to a certain identity security checks and access control decisions are based on user identity Unix is user-centric no roles User identified by user name (UID), group name (GID) authenticated by password (stored encrypted) User root superuser, system administrator special privileges (access resources, modify OS) cannot decrypt user passwords Cyber Security FH Campus 12

Process Management Process implements user-activity entity that executes a given piece of code has its own execution stack, memory pages, and file descriptors table separated from other processes using the virtual memory abstraction Thread separate stack and program counter share memory pages and file descriptor table Cyber Security FH Campus 13

Process Management Process Attributes process ID (PID) uniquely identified process user ID (UID) ID of owner of process effective user ID (EUID) ID used for permission checks (e.g., to access resources) saved user ID (SUID) to temporarily drop and restore privileges lots of management information scheduling memory management, resource management Cyber Security FH Campus 14

User Authentication How does a process get a user ID? Authentication (login) Passwords user passwords are used as keys for crypt() function runs DES algorithm 25 times on a block of zeros 12-bit salt 4096 variations chosen from date, not secret prevent same passwords to map onto same string make dictionary attacks more difficult Password cracking dictionary attacks crack, JohnTheRipper Cyber Security FH Campus 15

User Authentication Shadow passwords password file is needed by many applications to map user ID to user names thus, /etc/passwd is readable by user encrypted passwords are not stored there /etc/shadow holds encrypted passwords account information last change date expiration (warning, disabled) minimum/maximum change frequency readable only by superuser and privileged programs MD5 hashed passwords to slow down guessing Cyber Security FH Campus 16

Group Model Users belong to one or more groups primary group (stored in /etc/password) additional groups (stored in /etc/group) possibility to set group password and become group member with newgrp /etc/group groupname : password : group id : additional users root:x:0:root bin:x:1:root,bin,daemon users:x:100:ck Special group wheel protect root account by limiting user accounts that can perform su sudo/sudoers has similar functionality Cyber Security FH Campus 17

File System File tree primary repository of information hierarchical set of directories directories contain file system objects (FSO) root is denoted / File system object files, directories, symbolic links, sockets, device files referenced by inode (index node) everything is a file Cyber Security FH Campus 18

File System Access Control permission bits chmod, chown, chgrp, umask file listing: - rwx rwx rwx (file type) (user) (group) (other) Type r w x s t File read access write access execute suid / sgid inherit id sticky bit Directory list files insert and remove files stat / execute files, chdir new files have dir-gid files only deleteable by owner Cyber Security FH Campus 19

SUID Programs Each process has real and effective user / group ID usually identical real IDs determined by current user login, su effective IDs determine the rights of a process system calls (e.g., setuid()) suid / sgid bits attractive target for attacker You cannot SUID shell scripts anymore (usually :-) Cyber Security FH Campus 20

Shell Shell one of the core Unix applications both a command language and programming language provides an interface to the Unix operating system rich features such as control-flow primitives, parameter passing, variables, and string substitution communication between shell and spawned programs via redirection and pipes different flavors bash and sh, tcsh and csh, ksh Cyber Security FH Campus 21

Shell Attacks Environment Variables $HOME and $PATH can modify behavior of programs that operate with relative path names $IFS internal field separator used to parse tokens usually set to [ \t\n] but can be changed to / /bin/ls is parsed as bin ls calling bin locally IFS now only used to split expanded variables preserve attack (/usr/lib/preserve is SUID) called /bin/mail when vi crashes to preserve file change IFS, create bin as link to /bin/sh, kill vi Cyber Security FH Campus 22

Shell Attacks Control and escape characters can be injected into command string modify or extend shell behavior user input used for shell commands has to be rigorously sanitized easy to make mistakes classic examples are `; and `& there are MANY more!!!! Applications that are invoked via shell can be targets as well increased vulnerability surface Restricted shell invoked with -r more controlled environment Cyber Security FH Campus 23

Shell Attacks system(char *cmd) function called by programs to execute other commands invokes shell executes string argument by calling /bin/sh c string makes binary program vulnerable to shell attacks especially when user input is utilized popen(char *cmd, char *type) forks a process, opens a pipe and invokes shell for cmd Cyber Security FH Campus 24

File Descriptor Attacks SUID program opens file forks external process sometimes under user control on-execute flag if close-on-exec flag is not set, then new process inherits file descriptor malicious attacker might exploit such weakness launch program works exactly like this Linux Perl 5.6.0 getpwuid() leaves /etc/shadow opened problem for Apache with mod_perl Cyber Security FH Campus 25

Resource Limits File system limits quotas restrict number of storage blocks and number of inodes hard limit can never be exceeded (operation fails) soft limit can be exceeded temporarily can be defined per mount-point defend against resource exhaustion (denial of service) Process resource limits number of child processes, open file descriptors Cyber Security FH Campus 26

Signals Signal simple form of interrupt asynchronous notification can happen anywhere for process in user space used to deliver segmentation faults, reload commands, kill command Signal handling process can install signal handlers when no handler is present, default behavior is used ignore or kill process possible to catch all signals except SIGKILL (-9) Cyber Security FH Campus 27

Signals Security issues code has to be be re-entrant atomic modifications no global data structures race conditions unsafe library calls, system calls e.g., signal during fprintf, call to fprintf during signal handler examples wu-ftpd, sendmail, ssh,... Secure signals write handler as simple as possible block signals in handler call only asynchronous-safe functions Cyber Security FH Campus 28

Shared Libraries Library collection of object files included into (linked) program as needed code reuse Shared library multiple processes share a single library copy save disk space (program size is reduced) save memory space (only a single copy in memory) used by virtually all Unix applications (at least libc.so) check binaries with ldd Cyber Security FH Campus 29

Shared Libraries Static shared library address binding at link-time not very flexible when library changes code is fast Dynamic shared library address binding at load-time uses procedure linkage table (PLT) and global offset table (GOT) code is slower (indirection) loading is slow (binding has to be done at run-time) classic.so or.dll libraries PLT and GOT entries are very popular attack targets more when discussing buffer overflows Cyber Security FH Campus 30

Shared Libraries Process layout (32 bit systems) 0x00000000 0xbfffffff: user memory 0xc0000000 0xffffffff: kernel memory Cyber Security FH Campus 31

Shared Libraries Process layout (32 bit systems) 0x00000000 0xbfffffff: user memory.code.got table libc.so heap stack 0xc0000000 0xffffffff: kernel memory Cyber Security FH Campus 32

Shared Libraries Process layout (32 bit systems).code 0x00000000 0xbfffffff: user memory.code 0804832c <printf@plt>: libc.so 804832c: jmp *0x804a008 8048332:....GOT table 080483f4 <main>: heap 80483f4:... 8048414:call stack 804832c <printf@plt> 0xc0000000 0xffffffff: kernel memory Cyber Security FH Campus 33

Shared Libraries Process layout (32 bit systems).code 0x00000000 0xbfffffff: user memory.code 0804832c <printf@plt>: libc.so 804832c: jmp *0x804a008 8048332:....GOT table 080483f4 <main>: heap 80483f4:... 8048414:call stack 804832c <printf@plt> 0xc0000000 0xffffffff: kernel memory Cyber Security FH Campus 34

Shared Libraries Process layout (32 bit systems).code 0x00000000 0xbfffffff: user memory.got table (filled when loading lib).code 0804832c <printf@plt>: libc.so 804832c: jmp *0x804a008 8048332:... 0x804a000 <_GLOBAL_OFFSET_TABLE_+12>: 0x08048312 0x804a004 <_GLOBAL_OFFSET_TABLE_+16>: 0xf7d67690 0x804a008 <_GLOBAL_OFFSET_TABLE_+20>: 0x0a178332 libc.so 080483f4 <main>: heap 80483f4:... 8048414:call stack 804832c <printf@plt> 0a178332 <printf>: a178332:... 0xc0000000 0xffffffff: kernel memory Cyber Security FH Campus 35

Shared Libraries Management stored in special directories (listed in /etc/ld.so.conf) manage cache with ldconfig Preload override (substitute) with other version use /etc/ld.so.preload can also use environment variables for override possible security hazard now disabled for SUID programs (old Solaris vulnerability) Cyber Security FH Campus 36

Conclusion We looked at UNIX security Authentication Process management Shell attacks Libraries (GOT+PLT) LD Preload Cyber Security FH Campus 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback