516 \end{center} |
518 \end{center} |
517 |
519 |
518 \begin{itemize} |
520 \begin{itemize} |
519 \item the idea is make the attack surface smaller and mitigate the |
521 \item the idea is make the attack surface smaller and mitigate the |
520 consequences of an attack |
522 consequences of an attack |
521 \item you need an OS that supports different roles (root vs.~users) |
523 \end{itemize} |
522 \end{itemize} |
524 \end{frame} |
523 |
|
524 \end{frame} |
|
525 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
526 |
|
527 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
528 \begin{frame}[c] |
|
529 \frametitle{Weaknesses of Unix AC} |
|
530 |
|
531 Not just restricted to Unix: |
|
532 |
|
533 \begin{itemize} |
|
534 \item if you have too many roles (i.e.~too finegrained AC), then |
|
535 hierarchy is too complex\\ \textcolor{gray}{you invite situations |
|
536 like\ldots let's be root}\bigskip |
|
537 |
|
538 \item you can still abuse the system\ldots |
|
539 \end{itemize} |
|
540 |
|
541 \end{frame} |
|
542 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
543 |
|
544 |
|
545 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
546 \begin{frame}[c] |
|
547 \frametitle{A ``Cron''-Attack} |
|
548 |
|
549 \begin{enumerate} |
|
550 \item attacker \textcolor{gray}{(creates a fake passwd file)}\\ |
|
551 \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip |
|
552 \item root \textcolor{gray}{(does the daily cleaning)}\\ |
|
553 \texttt{rm /tmp/*/*}\medskip\\ |
|
554 \hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ |
|
555 \hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\ |
|
556 |
|
557 \item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to |
|
558 the real passwd file)}\\ |
|
559 \texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\ |
|
560 \item root now deletes the real passwd file |
|
561 \end{enumerate} |
|
562 |
|
563 \only<2>{ |
|
564 \begin{textblock}{11}(2,5) |
|
565 \begin{bubble}[8cm] |
|
566 \normalsize To prevent this kind of attack, you need additional |
|
567 policies (don't do such operations as root). |
|
568 \end{bubble} |
|
569 \end{textblock}} |
|
570 |
|
571 \end{frame} |
|
572 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
573 |
|
574 |
|
575 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
576 \begin{frame}[c] |
|
577 \frametitle{The Problem} |
|
578 |
|
579 \begin{itemize} |
|
580 \item The basic problem is that library routines in C look as follows: |
|
581 \end{itemize} |
|
582 |
|
583 \begin{center} |
|
584 \small\lstinputlisting[language=C,numbers=none]{../progs/app5.c} |
|
585 \end{center} |
|
586 |
|
587 |
|
588 \end{frame} |
|
589 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
590 |
|
591 |
|
592 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
593 \begin{frame}[c] |
|
594 \frametitle{Security Goals} |
|
595 |
|
596 \begin{itemize} |
|
597 \item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause |
|
598 \item Recover from attacks (traceability and auditing of security-relevant actions)\pause |
|
599 \item Monitoring (detect attacks)\pause |
|
600 \item Privacy, confidentiality, anonymity (to protect secrets)\pause |
|
601 \item Authenticity (needed for access control)\pause |
|
602 \item Integrity (prevent unwanted modification or tampering)\pause |
|
603 \item Availability and reliability (reduce the risk of DoS attacks) |
|
604 \end{itemize} |
|
605 |
|
606 \end{frame} |
|
607 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
608 |
|
609 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
610 \begin{frame}[c] |
|
611 \frametitle{Homework} |
|
612 |
|
613 \begin{itemize} |
|
614 \item Assume format string attacks allow you to read out the stack. What can you do |
|
615 with this information?\bigskip |
|
616 |
|
617 \item Assume you can crash a program remotely. Why is this a problem? |
|
618 \end{itemize} |
|
619 |
|
620 \end{frame} |
|
621 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
622 |
|
623 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
624 \mode<presentation>{ |
|
625 \begin{frame}[c] |
|
626 \frametitle{Access Control in Unix} |
|
627 |
|
628 \begin{itemize} |
|
629 \item access control provided by the OS |
|
630 \item authenticate principals (login) |
|
631 \item mediate access to files, ports, processes according to \alert{roles} (user ids)\\ |
|
632 \item roles get attached with privileges\bigskip\\% |
|
633 \hspace{8mm} |
|
634 \begin{tikzpicture} |
|
635 \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] |
|
636 {\begin{minipage}{8cm} |
|
637 \alert{The principle of least privilege:}\\ |
|
638 programs should only have as much privilege as they need |
|
639 \end{minipage}}; |
|
640 \end{tikzpicture} |
|
641 \end{itemize} |
|
642 |
|
643 \end{frame}} |
|
644 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
645 |
|
646 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
647 \mode<presentation>{ |
|
648 \begin{frame}[t] |
|
649 \frametitle{Process Ownership} |
|
650 |
|
651 \begin{itemize} |
|
652 \item access control in Unix is very coarse |
|
653 \end{itemize}\bigskip\bigskip\bigskip |
|
654 |
|
655 \begin{center} |
|
656 \begin{tabular}{c} |
|
657 root\\ |
|
658 \hline |
|
659 |
|
660 user$_1$ user$_2$ \ldots www, mail, lp |
|
661 \end{tabular} |
|
662 \end{center}\bigskip\bigskip\bigskip |
|
663 |
|
664 |
|
665 \textcolor{gray}{\small root has UID $=$ 0}\\\pause |
|
666 \textcolor{gray}{\small you also have groups that can share access to a file}\\ |
|
667 \textcolor{gray}{\small but it is difficult to exclude access selectively}\\ |
|
668 \end{frame}} |
|
669 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
670 |
|
671 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
672 \mode<presentation>{ |
|
673 \begin{frame}[c] |
|
674 \frametitle{Access Control in Unix (2)} |
|
675 |
|
676 |
|
677 \begin{itemize} |
|
678 \item privileges are specified by file access permissions (``everything is a file'') |
|
679 \item there are 9 (plus 2) bits that specify the permissions of a file |
|
680 |
|
681 \begin{center} |
|
682 \begin{tabular}{l} |
|
683 \texttt{\$ ls - la}\\ |
|
684 \texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt} |
|
685 \end{tabular} |
|
686 \end{center} |
|
687 \end{itemize} |
|
688 |
|
689 \end{frame}} |
|
690 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
691 |
|
692 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
693 \mode<presentation>{ |
|
694 \begin{frame}[c] |
|
695 \frametitle{Login Process} |
|
696 |
|
697 |
|
698 \begin{itemize} |
|
699 \item login processes run under UID $=$ 0\medskip |
|
700 \begin{center} |
|
701 \texttt{ps -axl | grep login} |
|
702 \end{center}\medskip |
|
703 |
|
704 \item after login, shells run under UID $=$ user (e.g.~501)\medskip |
|
705 \begin{center} |
|
706 \texttt{id cu} |
|
707 \end{center}\medskip\pause |
|
708 |
|
709 \item non-root users are not allowed to change the UID --- would break |
|
710 access control |
|
711 \item but needed for example for \texttt{passwd} |
|
712 \end{itemize} |
|
713 |
|
714 \end{frame}} |
|
715 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
716 |
|
717 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
718 \mode<presentation>{ |
|
719 \begin{frame}[c] |
|
720 \frametitle{Setuid and Setgid} |
|
721 |
|
722 The solution is that unix file permissions are 9 + \underline{2 Bits}: |
|
723 \alert{Setuid} and \alert{Setgid} Bits |
|
724 |
|
725 \begin{itemize} |
|
726 \item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. |
|
727 \item This enables users to create processes as root (or another user).\bigskip |
|
728 |
|
729 \item Essential for changing passwords, for example. |
|
730 \end{itemize} |
|
731 |
|
732 \begin{center} |
|
733 \texttt{chmod 4755 fobar\_file} |
|
734 \end{center} |
|
735 |
|
736 \end{frame}} |
|
737 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
738 |
|
739 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
740 \mode<presentation>{ |
|
741 \begin{frame}[c] |
|
742 \frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}} |
|
743 |
|
744 \begin{center} |
|
745 \begin{tikzpicture}[scale=1] |
|
746 |
|
747 \draw[line width=1mm] (0, 1.1) rectangle (1.2,2); |
|
748 \draw (4.7,1) node {Internet}; |
|
749 \draw (0.6,1.7) node {\footnotesize Slave}; |
|
750 \draw[line width=1mm] (0, 0) rectangle (1.2,0.9); |
|
751 \draw (0.6,1.7) node {\footnotesize Slave}; |
|
752 \draw (0.6,0.6) node {\footnotesize Slave}; |
|
753 \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}}; |
|
754 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; |
|
755 |
|
756 \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); |
|
757 \draw (-2.9,1.7) node {\footnotesize Monitor}; |
|
758 |
|
759 \draw[white] (1.7,1) node (X) {}; |
|
760 \draw[white] (3.7,1) node (Y) {}; |
|
761 \draw[red, <->, line width = 2mm] (X) -- (Y); |
|
762 |
|
763 \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1); |
|
764 \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9); |
|
765 |
|
766 \end{tikzpicture} |
|
767 \end{center} |
|
768 |
|
769 \begin{itemize} |
|
770 \item pre-authorisation slave |
|
771 \item post-authorisation\bigskip |
|
772 \item 25\% codebase is privileged, 75\% is unprivileged |
|
773 \end{itemize} |
|
774 \end{frame}} |
|
775 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
776 |
|
777 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
778 \mode<presentation>{ |
|
779 \begin{frame}[c] |
|
780 \frametitle{Network Applications} |
|
781 |
|
782 ideally network application in Unix should be designed as follows: |
|
783 |
|
784 \begin{itemize} |
|
785 \item need two distinct processes |
|
786 \begin{itemize} |
|
787 \item one that listens to the network; has no privilege |
|
788 \item one that is privileged and listens to the latter only (but does not trust it) |
|
789 |
|
790 \end{itemize} |
|
791 |
|
792 \item to implement this you need a parent process, which forks a child process |
|
793 \item this child process drops privileges and listens to hostile data\medskip |
|
794 |
|
795 \item after authentication the parent forks again and the new child becomes the user |
|
796 \end{itemize} |
|
797 |
|
798 |
|
799 \end{frame}} |
|
800 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
525 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
801 |
526 |
802 |
527 |
803 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
528 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
804 \mode<presentation>{ |
529 \mode<presentation>{ |