# HG changeset patch # User Christian Urban # Date 1444814827 -3600 # Node ID 6a54ee8b74c353199fa9b71740f21617d43ff9e5 # Parent 4e3bc09748f757bf1a03f55f27c8cf8892bdb132 updated diff -r 4e3bc09748f7 -r 6a54ee8b74c3 slides/slides04.pdf Binary file slides/slides04.pdf has changed diff -r 4e3bc09748f7 -r 6a54ee8b74c3 slides/slides04.tex --- a/slides/slides04.tex Tue Oct 13 03:45:37 2015 +0100 +++ b/slides/slides04.tex Wed Oct 14 10:27:07 2015 +0100 @@ -111,7 +111,8 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} +\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] + Privilege Separation\end{tabular}} \begin{center} @@ -141,53 +142,49 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Access Control in Unix} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ +\begin{itemize} +\item access control provided by the OS +\item authenticate principals +\item mediate access to files, ports, processes etc according to + \alert{roles} (user ids)\\ +\item roles get attached with privileges (some special roles: root)\bigskip\\ + +\hspace{8mm} +\begin{bubble}[8cm] +\alert{principle of least privilege:}\\ +users and programs should only have as much privilege as they need to +accomplish a task +\end{bubble} +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}} +\frametitle{Access Control in Unix (2)} \begin{itemize} -\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause -\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause -\item \texttt{mkdir foo} is owned by root\medskip -\begin{center} -\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} -\end{center}\medskip -it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} +\item privileges are specified by file access permissions (``everything is a file'')\medskip +\item there are 9 (plus 2) bits that specify the permissions of a file \end{itemize} -\only<5->{ -\begin{textblock}{1}(3,7) -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\begin{minipage}{8cm} -Only failure makes us experts. - -- Theo de Raadt (OpenBSD, OpenSSH) -\end{minipage}}; -\end{tikzpicture} -\end{textblock}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Unix-Style Access Control} - -How to do control access? In Unix you have - -\begin{itemize} -\item users and you have groups/roles: -\item some special roles: root -\end{itemize} +\begin{center} +${\underbrace{\LARGE\texttt{-}}_{\text{\makebox[0mm]{directory}}}} + \;{\underbrace{\LARGE\texttt{r{}-{}-}}_{\text{user}}}\, + {\underbrace{\LARGE\texttt{r{}w{}-}}_{\text{group}}}\, + {\underbrace{\LARGE\texttt{r{}w{}x}}_{\text{other}}}\;\;\; + \LARGE\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$ +\end{center} \end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -223,39 +220,6 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} - - -\begin{center} - \begin{tikzpicture}[scale=1] - - \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); - \draw (4.7,1) node {Internet}; - \draw (-2.7,1.7) node {\footnotesize Application}; - \draw (0.6,1.7) node {\footnotesize Interface}; - \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; - \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; - - \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); - - \draw[white] (1.7,1) node (X) {}; - \draw[white] (3.7,1) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - - \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); - \end{tikzpicture} -\end{center} - -\begin{itemize} -\item the idea is make the attack surface smaller and mitigate the - consequences of an attack -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] \frametitle{Weaknesses of Unix AC} Not just restricted to Unix: @@ -321,106 +285,37 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[fragile] -\frametitle{D-Link Backdoors} +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Infamous Security Flaws\\[-1mm] +in Unix\end{tabular}} -D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip -\begin{quote}\rm\small -If you tell your browser to identify itself as Joel's backdoor, instead of (say) -as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip - -"What is this string," I hear you ask? - -You will laugh: it is\pause +\begin{itemize} +\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause +\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause +\item \texttt{mkdir foo} is owned by root\medskip +\begin{center} +\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} +\end{center}\medskip +it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} +\end{itemize} -\begin{center}\large -\pcode{xmlset_roodkcableoj28840ybtide} -\end{center} -\end{quote}\bigskip\bigskip - -\hfill\footnotesize October 15, 2013\\ -\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/} +\only<4->{ +\begin{textblock}{1}(3,7) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{8cm} +Only failure makes us experts. + -- Theo de Raadt (OpenBSD, OpenSSH) +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[fragile] - -CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip - -\begin{quote}\rm\small -Hi, - -we just found a serious vulnerability in the chkrootkit package, which -may allow local attackers to gain root access to a box in certain -configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce: - -\begin{itemize} -\item Put an executable file named \pcode{update} with non-root owner in -\pcode{/tmp} (not mounted noexec, obviously) -\item Run chkrootkit (as uid \pcode{0}) -\end{itemize} - -Result: The file \pcode{/tmp/update} will be executed as root, thus effectively -rooting your box, if malicious content is placed inside the file. - -If an attacker knows you are periodically running chkrootkit (like in -\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may -easily take advantage of this. -\end{quote} -\mbox{}\\[-10mm] - -\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Access Control in Unix} - -\begin{itemize} -\item access control provided by the OS -\item authenticate principals -\item mediate access to files, ports, processes etc according to - \alert{roles} (user ids)\\ -\item roles get attached with privileges\bigskip\\ - -\hspace{8mm} -\begin{bubble}[8cm] -\alert{principle of least privilege:}\\ -users and programs should only have as much privilege as they need to -accomplish a task -\end{bubble} -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Access Control in Unix (2)} - - -\begin{itemize} -\item privileges are specified by file access permissions (``everything is a file'')\medskip -\item there are 9 (plus 2) bits that specify the permissions of a file - -\begin{center} -\begin{tabular}{l} -\texttt{\$ ls -la}\\ -\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt} -\end{tabular} -\end{center} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -451,7 +346,7 @@ \frametitle{Setuid and Setgid} The solution is that Unix file permissions are 9 + \underline{2 Bits}: -\alert{Setuid} and \alert{Setgid} bits +\alert{\bf Setuid} and \alert{\bf Setgid} bits \begin{itemize} \item When a file with setuid is executed, the resulting process will