20-771: Computer Security Lecture 5: Server Security, Unix

Lecture 6, 20-771: Computer Security, Fall 2002 1

20-771: Computer SecurityLecture 5: Server Security, Unix

Robert Thibadeau

School of Computer Science

Carnegie Mellon University

Institute for eCommerce, Fall 2002


Today’s lecture

• Server Security– Crashing machines and Stacheldraht!

• Break (10 min)• Unix Server

– Unix Access Control

• Code to check SUID bits


Sept 11

Presentation


This Week

Chapters 4,5 WS


Server Side Security

• Webjacking : Editing a page without your permission.

• Stealing information.

• Disabling your web site.

• Authenticating Users, Authorizing Users


Why are Web Sites Vulnerable

• Bugs in System Software

• System Software is Incorrectly Configured

• The Server Hardware isn’t Secure

• Networks are Not Secure

• Remote Authoring and Administration Tools Open Holes

• Insider Threats are Overlooked


Bugs in System Software

1. System self destructs and hardware lost

2. System self destructs and software/data lost

3. System crashes and needs reboot

4. Software crashes and needs restarting

5. Software runs slowly/non-responsively

6. Software does something not intended

7. Software “feature” a nuisance


The “Buffer Overrun”

• Really a whole range of attacks : – A program is handed long arguments. Causes program to

fail but leaves user with write-priviledges.

– A program is handed arguments that are interpreted and therefore possible can be run.

– Never use “exec” or “system” in cgi-bin

• How common is it for a program/module to fail if given the wrong arguments?

• Koopman.pdf


Koopman 2000 DataBUFFER OVERUNS LIVE ON!

System CE 2000 NT 98 SE 98 95 Linux

#Sys calls 71 143 143 143 143 133 91

-Catastrophic Failures

10 0 0 6 5 7 0

#Calc Failures 61 143 143 137 138 126 91

-Restart .1% .4% .3% .1% .1% .1% .2%

-Abort Failures 13% 23% 24% 13% 13% 12% 7%

#C-library fns 82 94 94 94 94 94 94-GNU

-Catastophic Failure

18 0 0 1 2 1 0

#Calc. Failure 64 94 94 93 92 93 94

-Restart 0% .05% .01% 0% 0% .02% .8%

-Abort Failures 14% 24% 25% 25% 25% 25% 35%


Denial of Service Large numbers of computers are recruited to create an attack

Stacheldraht (Barbed Wire) first reported by David Dittrich University of Washington December 29, 1999 (basis for giant DoS in Jan 2000):

• The Client: – The client connects to the master server on port 16660 or port 60001. Packet

contents are blowfish encrypted using the default password "sicken”. Attacker uses client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.

• The Master Server: – The master server handles all communication between client and agent

programs.

• The Agent: – The agent listens for commands from master servers on port 65000. In addition

to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.


Denial of Service II Large numbers of computers are recruited to create an attack

Stacheldraht (Barbed Wire): • The Client:

– Attacker uses client to manage Stacheldraht agents.

• The Master Server: – The master server handles all communication between client and agent programs.

• The Agent: – Agents can be directed to "upgrade" themselves by downloading a fresh copy of

the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

• The Attack: – Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The

attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines.

• Where and How: – Stacheldraht agents were originally found in binary form on a number of Solaris 2.x systems,

which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". They are often witnessed "in the wild".


Stacheldraht Model

Master Server B

AGENT A

AGENT B

Master Server A

Client

AGENT N

YOU 2YOU 1

YOU N

First set up a bunch of master serversSet up thousands of agentsNow say “march!” through any one or more ofYour master servers.


Stacheldraht Commands!.distro user server Instructs the agent to install and run a

new copy of itself using the Berkeley "rcp" command, on the system "server",using the account "user" (e.g., "rcp user@server:linux.bin ttymon")

.help Prints a list of supported commands.

.killall Kills all active agents.

.madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims.

.mdie Sends die request to all agents.

.mdos Begins DoS attack.

.micmp ip1[:ip2[:ipN]] Begin ICMP flood attack against specified hosts.

.mlist List IP addresses of hosts being DoS attacked at the moment.

.mping Pings all agents (bcasts) to see if they are alive.

.msadd Adds a new master server (handler) to the list of available servers.

.msort Sort out dead/alive agents (bcasts). (Sends pings and shows counts/percentage of dead/alive agents).


Stacheldraht Commands! 2.mstop ip1[:ip2[:ipN]]

.mstop all Stop attacking specific IP addresses, or all.

.msrem Removes a master server (handler) from the list of availableservers.

.msyn ip1[:ip2[:ipN]] Begin SYN flood attack against specified hosts.

.mtimer seconds Set timer for attack duration. (No checks on this value.)

.mudp ip1[:ip2[:ipN]] Begin UDP flood attack against specified hosts. (Trinoo DoS emulation mode.)

.setisize Sets size of ICMP packets for flooding. (max:1024, default:1024).

.setusize Sets size of UDP packets for flooding (max:1024 default:1024).

.showalive Shows all "alive" agents (bcasts).

.showdead Shows all "dead" agents (bcasts).

.sprange lowport-highport Sets the range of ports for SYN flooding (defaults to lowport:0, highport:140).


SYN Floods

• TCP Synchronization Handshake Attack– C-SYN S-SYN-ACK C-ACK (triple, but you stop at 2)

• The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.

•netstat -a -f inet – Too many connections in the state "SYN_RECEIVED"

indicates that the system is being attacked.


If Staheldraht did that then …

• What is going silently and without destruction?

• Armies of agents?– Probably


Break!


Security Policy Components

• Personnel – Access Levels

– Authorization Procedures

– Revocation of Authorization

• Access Priviledges– Local Login

– Network Login

– Authoring Access

– Remote Server Administration

– Browsing Access

– CGI-Script Installation

– Access to the /private directory


Security Policy Components

• Personnel

• Access Priviledges

• Network Services– Web

– FTP

– Other (no other)

• Maintanence– 24X7

– Backups


Setting up Unix

• Apply vendor OS patches

• Turn off unessential services

• Add minimum number of user accounts– Make a back door for your self to do admin for awhile

• Get the file and directory permissions right

• NOW YOU CAN PUT UNIX ON THE INTERNET!– Lots of automated programs probe to get trojan horses

on your machine and this can happen FAST!

– Fastest we’ve seen in Computer Science: 11 Minutes and we had to rebuild the machine.


Unix Access• User and Group Access Rights is the Basis

for Unix Security– Read, Write, Execute on a file/directory/device

• The biggest TCO (total cost of ownership) in a computer system is administering and working with access control.

– Because things just don’t work until you get the access rights working properly

– People think it is something wrong with the program when it is really just the security environment that is set wrong.

• A GREAT REASON to REALLY LEARN YOUR ACCESS CONTROL SYSTEM!


Unix Access Protections• What has access protections u-rwx g-rwx o-rwx?

– Files – Directories– Devices (/dev/)– Programs (must have execute bit set).

• All these have ONE user and ONE group that owns them.• Each User is ONE user and ONE DEFAULT group but many group memberships.• Types of protections applied when creating/modifying

– User : rwx (u-rwx, -rwx------, or 0700)– Group : rwx (g-rwx, ----rwx---, or 0070) – other members of user’s group– Other : rwx (o-rwx, -------rwx, or 0007)– A directory : d (d--------- -> set automatically by file system)– SGID : (-----s--- or 2000) inherit group protections– umask 002 : automatically let everybody in group rwx

» Need private user group : user mary, group mary if umask 002 not 022.• A user can be a member of many groups but only the primary defaults to write unless

directory permission is set to overcome user permission (sgid bit set on directory).• When access is provided to a group, every member gets it.


OTHER

GROUP B

Unix Access Permission ModelFILE / DIRECTORY / DEVICE / INODE

GROUP A

USER AGroup A

User A - Group A

User Read

4

User Write 2

User Execute 1

Group Read 4

Group Write 2

Group Execute

1

Other Read 4

Other Write 2

Other Execute

1

GROUP C

USER BGroup B

Set UserID 4

Set GUID 2

Set Sticky 1

USER CGroup A

2

4 2 1


Special Bits do ONE thing eachdrwsrwsrwt

• 4 Set User ID : causes an executable file (a program) to go into the access permissions of the owner of the file (note, group or OTHER could execute it!) not the person executing it. SUID to root is dangerous.

• 2 Set Group ID : causes a new file that is being created in a directory to have the group ID of the directory, not the default group of the person (User) that is creating the file.

• 1 Sticky Bit : Causes a new file that is being created in a directory to not be deletable by just anybody in that directory but by the user who created the file.


Seeing Who you Pretend to Be.

• #!/bin/sh #idinfo: Print user informationecho " effective user-ID:" id -un echo " real user-ID:" id -unr echo " group ID:" id -gn


Set User ID Test

• /*suidtest.c*/ #include <stdio.h> #include <unistd.h> int main(){ /*secure SUID programs MUST *not trust any user input or environment variable!! */

char *env[]={"PATH=/bin:/usr/bin",NULL}; char prog[]="/home/alice/idinfo"; if (access(prog,X_OK)){ fprintf(stderr,"ERROR: %s not executable\n",prog); exit(1); } printf("running now %s ...\n",prog); execle(prog,(const char*)NULL,env); perror("suidtest");

return(1); }


More on SUID• gcc -o suidtest -Wall suidtest.c• chmod 4755 suidtest OR• chmod u+s suidtest • ls –l suidtest • suidtest idtest• Set-UID programs are often used by "root" to give

ordinary users access to things that normally only "root" can do. As root you can e.g modify the suidtest.c to allow any user to run the ppp-on/ppp-off scripts on your machine.

• Note: It is possible to switch off Suid when mounting a file system. If the above does not work then check your /etc/fstab. It should look like this:/dev/hda5 / ext2 defaults 1 1 If you find the option "nosuid" there then this Suid feature is switched off. For details have a look at the man-page of mount.


SUID User Bit

• If root owns the file with s-bit set. Any user can then do things that normally only root can do.

• A few words on security.

• When you write a SUID program then you must make sure that it can only be used for the purpose that you intended it to be used.

• Always set the path to a hard-coded value.

• Never rely on environment variables or functions that use environment variables.

• Never trust user input (config files, command line arguments....). Careful on BUFFER OVERFLOWAAA…!

• Check user input byte for byte and compare it with values that you consider valid.


umask

• Applies only when you are creating a file (directory, device…)

• 022 is the general default : only you can write a file but everybody else can read and execute it. It is a mask on the file settings given by environment.

• 002 lets everybody in your group write the file.

• 000 lets everybody write the file.• 277 lets only you read and execute (safety)• Just type “umask 277” in a shell window and

now when you make a file, it will have these attributes.


Unix Access Control is

• VERY SIMPLE! Only four sets of three bits for any file or directory (or device)

• You are you, a member of a default group, and a member of N other groups.

• You have a umask which limits the access to any file or directory you create.

• Three of the four sets of three bits are read-write-execute for you, ONE group—usually your default, and others (anybody else)

• One is 3 special bits with special purposes that let – an executable do things you can’t do,

– let you work with a group in a group directory, and

– let you let a group read and write but they can’t delete your file (modify only).


Unix Access ModelSpecial User Group Other

Directory d

Has user/group

drwxrwsrwx

Set user/group on execution

0-2-0 (“s”)

rwx/s

4-2-1

7

rwx/s

4-2-1

7

rwx

4-2-1

7

Umask

Turns off bits in creation

0 0 2

Result for new file or directory

0-2-0

2

4-2-1

7

4-2-1

7

4-1

5

File

Has user/group

Set user/group on execution

4-2-0 (“s”)

rwx rwx rwx


P3P : Personal Info Privacy

• www.w3.org/p3p yuan.ecom.cmu.edu/privacy p3p.jrc.it – JAVA CODE

• Client makes any first http request• Server includes in its http response header a

pointer to its p3p policyref (policy reference page).

• Client MAY now check the p3p policyref before proceeding to any next interaction with the server.

• Method is to apply APPEL rules.• Each APPEL rule looks at a part of the

policyref and decides to ACCEPT, REJECT, INFORM or WARN the person.


P3P XML Tree

What info can you, as a user, access --.e.g, your retirement balance?

POLICYEXTENSION (EXT)

ENTITY

DISPUTES-GROUP

DATASCHEMA

ACCESS

STATEMENT

EXT

DATA-GROUPEXT EXT

DISPUTES EXTENSION

Who is the organization?

If Privacy violated?

What privacy do they promise and about what?

Special data representations, car.year.model


P3P Summary

CATEGORIES/

physical/

purchase/

financial/

uniqueid/

online/

interactive/

demographic/

navigation/computer/

political/health/

state/

content/

preference/

location/

other/

ACCESS

law/money/correct/

REMEDIES

IMG

Other_ident/

Ident_contact/Nonident/

Contact_and_other/

Targeting/

All/

none

PURPOSE/current/

Contact/

customization/

develop/

admin/

profiling/

Other-purpose/

unrelated/

RECIPIENT/ours/

delivery/public/

Other-recipient/

same/

RETENTION/

No-retention/

Legal-requirement/

Business-practices/

Stated-purpose/

indefinitely/

DISPUTES

resolution-type

court/

Independent/

Service/

law/


APPEL Rules

• If you are taking my name and the recipient is “other recipient” maybe I want to reject.

• If you are taking my name and the recipient is “other recipient” but there is extended text (the machine can’t read this – only know it is there) then maybe I WARN and put this text in the warning window.

20-771: Computer Security Lecture 5: Server Security, Unix

Documents

Transcript of 20-771: Computer Security Lecture 5: Server Security, Unix