static void insecure (localhost *unix)

Transcription

1 static void insecure (localhost *unix) Eric Pancer Information Security Team DePaul University Securing UNIX Hosts from Local Attack p.1/32

2 Overview This presentation intends to help the audience better understand both security risks and techniques to combat local attacks against a UNIX host. We will focus on local security and not address any of the security risks involved in attaching to a network. <Blurb on why local security is important> Securing UNIX Hosts from Local Attack p.2/32

3 Scope The focus of this talk will be on newer UNIX variants that have become more common over the past 10 years. These include Linux BSD 4.4 variants OpenBSD FreeBSD While these aren t the only UNIX variants alive and well, they feature some of the more progressive security improvements. Securing UNIX Hosts from Local Attack p.3/32

4 What We Won t Cover While this talk will not focus on network security, it assumes that you have... Configured network applications to run under unique, unprivileged accounts. Disabled services not vital for production. Disabled unauthenticated services (r* services, anonymous ftp, fingerd). Implemented kernel level TCP/IP filtering and hardened your TCP/IP stack. Actively monitor traffic to and from the host. Securing UNIX Hosts from Local Attack p.4/32

5 Assumptions This talk assumes that you have a working knowledge of UNIX and understand the basics of a kernel, file-system, privileges, etc.. Securing UNIX Hosts from Local Attack p.5/32

6 Preface Securing UNIX Hosts from Local Attack p.6/32

7 The Good News Simple model: userland vs. privileged space. Securing UNIX Hosts from Local Attack p.7/32

8 The Good News Simple model: userland vs. privileged space. (Relatively) easy to audit via syslogd(8). Securing UNIX Hosts from Local Attack p.7/32

9 The Good News Simple model: userland vs. privileged space. (Relatively) easy to audit via syslogd(8). Aged, Securing UNIX Hosts from Local Attack p.7/32

10 The Good News Simple model: userland vs. privileged space. (Relatively) easy to audit via syslogd(8). Aged, Well understood, Securing UNIX Hosts from Local Attack p.7/32

11 The Good News Simple model: userland vs. privileged space. (Relatively) easy to audit via syslogd(8). Aged, Well understood, Reviewed source code, Securing UNIX Hosts from Local Attack p.7/32

12 The Good News Simple model: userland vs. privileged space. (Relatively) easy to audit via syslogd(8). Aged, Well understood, Reviewed source code, Even proprietary versions aren t very proprietary anymore. Securing UNIX Hosts from Local Attack p.7/32

13 The Good News Simple model: userland vs. privileged space. (Relatively) easy to audit via syslogd(8). Aged, Well understood, Reviewed source code, Even proprietary versions aren t very proprietary anymore. Modular. Securing UNIX Hosts from Local Attack p.7/32

14 The Good News Simple model: userland vs. privileged space. (Relatively) easy to audit via syslogd(8). Aged, Well understood, Reviewed source code, Even proprietary versions aren t very proprietary anymore. Modular. Based mostly on a simple language, C. Securing UNIX Hosts from Local Attack p.7/32

15 The Bad News Architecture is based on files... Securing UNIX Hosts from Local Attack p.8/32

16 The Bad News Architecture is based on files... Permissions can be confusing, Securing UNIX Hosts from Local Attack p.8/32

17 The Bad News Architecture is based on files... Permissions can be confusing, Devices can easily be replaced or backdoored. Securing UNIX Hosts from Local Attack p.8/32

18 The Bad News Architecture is based on files... Permissions can be confusing, Devices can easily be replaced or backdoored. Gaining access past userland usually leads to root. Securing UNIX Hosts from Local Attack p.8/32

19 The Bad News Architecture is based on files... Permissions can be confusing, Devices can easily be replaced or backdoored. Gaining access past userland usually leads to root. File descriptors, status codes, etc., difficult to securely keep track of. Securing UNIX Hosts from Local Attack p.8/32

20 The Bad News Architecture is based on files... Permissions can be confusing, Devices can easily be replaced or backdoored. Gaining access past userland usually leads to root. File descriptors, status codes, etc., difficult to securely keep track of. Long history of buffer overflows, and recently format string vulnerabilities. C isn t forgiving. Securing UNIX Hosts from Local Attack p.8/32

21 Goals Two major requirements in dealing host security are... Securing UNIX Hosts from Local Attack p.9/32

22 Goals Two major requirements in dealing host security are... Users. Securing UNIX Hosts from Local Attack p.9/32

23 Goals Two major requirements in dealing host security are... Users. A good rule of thumb is: once shell access is obtained, privileged access will soon follow. Securing UNIX Hosts from Local Attack p.9/32

24 Goals Two major requirements in dealing host security are... Users. A good rule of thumb is: once shell access is obtained, privileged access will soon follow. For this reason, shell access should be protected. Securing UNIX Hosts from Local Attack p.9/32

25 Goals Two major requirements in dealing host security are... Users. A good rule of thumb is: once shell access is obtained, privileged access will soon follow. For this reason, shell access should be protected. The Kernel. Securing UNIX Hosts from Local Attack p.9/32

26 Goals Two major requirements in dealing host security are... Users. A good rule of thumb is: once shell access is obtained, privileged access will soon follow. For this reason, shell access should be protected. The Kernel. The kernel is busy and can be fooled into trusting malicious code. Securing UNIX Hosts from Local Attack p.9/32

27 Goals Two major requirements in dealing host security are... Users. A good rule of thumb is: once shell access is obtained, privileged access will soon follow. For this reason, shell access should be protected. The Kernel. The kernel is busy and can be fooled into trusting malicious code. It isn t as smart when dealing large amounts of input; it will gladly overwrite memory segments. Securing UNIX Hosts from Local Attack p.9/32

28 Goals Two major requirements in dealing host security are... Users. A good rule of thumb is: once shell access is obtained, privileged access will soon follow. For this reason, shell access should be protected. The Kernel. The kernel is busy and can be fooled into trusting malicious code. It isn t as smart when dealing large amounts of input; it will gladly overwrite memory segments. The kernel panics and often cannot handle the type of an attacker will provide. Securing UNIX Hosts from Local Attack p.9/32

29 Goals Two major requirements in dealing host security are... Users. A good rule of thumb is: once shell access is obtained, privileged access will soon follow. For this reason, shell access should be protected. The Kernel. The kernel is busy and can be fooled into trusting malicious code. It isn t as smart when dealing large amounts of input; it will gladly overwrite memory segments. The kernel panics and often cannot handle the type of an attacker will provide. Truly, the kernel does not understand that someone was foolish when coding. Securing UNIX Hosts from Local Attack p.9/32

30 Where Can This Be Applied Shell servers. FTP servers. Everywhere. Securing UNIX Hosts from Local Attack p.10/32

31 Section One User Accounts and Environments Securing UNIX Hosts from Local Attack p.11/32

32 User Accounts Each user should be given a unique account. Use groups and train people how to use chmod(1). Set a default umask appropriately. Be proactive and do not rely on users to set this up! Don t be afraid to overly litter /etc/group. Remember, you can have (at least) groups. Securing UNIX Hosts from Local Attack p.12/32

33 Resource Exhaustion Building a restricted environment prevents resource exhaustion #include <sys/types.h> #include <unistd.h> void main(int argc, char* argv[]) { while(1) fork(); } Leads to something you might not like: 11:34AM up 326 days, 19:21, 142 users, load averages: 65.26, 55.20, Securing UNIX Hosts from Local Attack p.13/32

34 Restricted Environments Not completely safe, yet effective. Securing UNIX Hosts from Local Attack p.14/32

35 Restricted Environments Not completely safe, yet effective. Requires least amount of binaries be put in $PATH. Securing UNIX Hosts from Local Attack p.14/32

36 Restricted Environments Not completely safe, yet effective. Requires least amount of binaries be put in $PATH. Can be broken out of if you allow... Securing UNIX Hosts from Local Attack p.14/32

37 Restricted Environments Not completely safe, yet effective. Requires least amount of binaries be put in $PATH. Can be broken out of if you allow anything that calls exec(3)... find / -exec /bin/sh -i \{\}\ ; Securing UNIX Hosts from Local Attack p.14/32

38 Restricted Environments Not completely safe, yet effective. Requires least amount of binaries be put in $PATH. Can be broken out of if you allow anything that calls exec(3)... find / -exec /bin/sh -i \{\}\ ;... anything that uses sigsuspend(2)... export EDITOR=/usr/bin/vi; pine -z ;ˆZ Securing UNIX Hosts from Local Attack p.14/32

39 Restricted Environments Not completely safe, yet effective. Requires least amount of binaries be put in $PATH. Can be broken out of if you allow anything that calls exec(3)... find / -exec /bin/sh -i \{\}\ ;... anything that uses sigsuspend(2)... export EDITOR=/usr/bin/vi; pine -z ;ˆZ Requires many environmental variables to be set (see next slide) Securing UNIX Hosts from Local Attack p.14/32

40 Restricted Environments - Variables These variables should be set, at minimum, in a restricted environment. DISPLAY ENV HOME TERM TMP TMPDIR USER. Securing UNIX Hosts from Local Attack p.15/32

41 Restricted Environments - Variables These variables should be set, at minimum, in a restricted environment. DISPLAY ENV HOME TERM TMP TMPDIR USER. PATH. Securing UNIX Hosts from Local Attack p.15/32

42 Restricted Environments - Variables These variables should be set, at minimum, in a restricted environment. DISPLAY ENV HOME TERM TMP TMPDIR USER. PATH. LD_LIBRARY_PATH LD_PRELOAD (depends on shell). Securing UNIX Hosts from Local Attack p.15/32

43 Restricted Environments - Variables These variables should be set, at minimum, in a restricted environment. DISPLAY ENV HOME TERM TMP TMPDIR USER. PATH. LD_LIBRARY_PATH LD_PRELOAD (depends on shell). INPUTRC SHELLOPTS (if using bash). Securing UNIX Hosts from Local Attack p.15/32

44 Restricted Environments - Variables These variables should be set, at minimum, in a restricted environment. DISPLAY ENV HOME TERM TMP TMPDIR USER. PATH. LD_LIBRARY_PATH LD_PRELOAD (depends on shell). INPUTRC SHELLOPTS (if using bash). SHELL VISUAL EDITOR. Securing UNIX Hosts from Local Attack p.15/32

45 Restricted Environments - Builtins Shells have builtins many of which should be disabled. Under bash, set the following in /etc/profile enable -n cd enable -n declare enable -n export enable -n readonly enable -n set enable -n unset enable -n ulimit enable -n enable Securing UNIX Hosts from Local Attack p.16/32

46 Restricted Environments - Don t Be Fooled Don t be fooled: unless you remove all login profiles in /etc/profile before setting the restricting variables, the environment will be broken out of No guarantee is made that even building the environment will work. Restricted environments are difficult to maintain once you start adding more than a handful of applictations. Securing UNIX Hosts from Local Attack p.17/32

47 Section Two Files and File Systems Securing UNIX Hosts from Local Attack p.18/32

48 Files and File Systems - SUID/SGID Files The more the merrier? SUID/SGID file permissions should be removed on anything that isn t critical to a user. In a default Redhat 8.0 install you may find... Superfluous SUID bits == 20 (!) Superfluous SGID bits == 9 What s your definition of superfluous? :) Securing UNIX Hosts from Local Attack p.19/32

49 Files and File Systems - Problems Earlier versions of Solaris forgot to add a sticky bit to /tmp. Securing UNIX Hosts from Local Attack p.20/32

50 Files and File Systems - Problems Earlier versions of Solaris forgot to add a sticky bit to /tmp. Many platforms come with /usr/*bin/* as user writeable. Securing UNIX Hosts from Local Attack p.20/32

51 Files and File Systems - Problems Earlier versions of Solaris forgot to add a sticky bit to /tmp. Many platforms come with /usr/*bin/* as user writeable. /tmp is extremely useful for exploits that write shells as Securing UNIX Hosts from Local Attack p.20/32

52 File and File Systems - Beyond chmod chmod(1) is fine and dandy for file permissions, but cannot apply attributes. However, Securing UNIX Hosts from Local Attack p.21/32

53 File and File Systems - Beyond chmod chmod(1) is fine and dandy for file permissions, but cannot apply attributes. However, Linux: chattr -R +u /usr/*bin/* /*bin Securing UNIX Hosts from Local Attack p.21/32

54 File and File Systems - Beyond chmod chmod(1) is fine and dandy for file permissions, but cannot apply attributes. However, Linux: chattr -R +u /usr/*bin/* /*bin *BSD: chflags -R schg /usr/*bin/* /*bin /bsd* Securing UNIX Hosts from Local Attack p.21/32

55 File and File Systems - Mount Options Where possible, try and... Securing UNIX Hosts from Local Attack p.22/32

56 File and File Systems - Mount Options Where possible, try and......mount /usr read-only,nodev Securing UNIX Hosts from Local Attack p.22/32

57 File and File Systems - Mount Options Where possible, try and......mount /usr read-only,nodev...mount /tmp and /var noexec,nosuid,nodev Securing UNIX Hosts from Local Attack p.22/32

58 File and File Systems - Mount Options Where possible, try and......mount /usr read-only,nodev...mount /tmp and /var noexec,nosuid,nodev...mount /home nosuid,nodev Securing UNIX Hosts from Local Attack p.22/32

59 Double Standards What you ve just told me... Contradicts the keep up to date on patches philosophy. Doesn t allow easy changes to the system. Will cause the much avoided down-time. Securing UNIX Hosts from Local Attack p.23/32

60 Section Three The Kernel Securing UNIX Hosts from Local Attack p.24/32

61 Kernel - Dynamic Configuration Loadable Kernel Modules (LKM) are popular among all major unices. Popular for quite some time in Linux. Has made it s way (as KLD) to *BSD. Helps to dynamically configure an infinite state machine. Makes end-user life easier. How is the kernel to tell if foobar.o is a third-party device driver or part of a rootkit? Securing UNIX Hosts from Local Attack p.25/32

62 Kernel - Risks of LKM s An attacker can spoof replies from fstat(2) and gladly tell your file integrity checker that /bsd wasn t replaced before yesterday s reboot. Securing UNIX Hosts from Local Attack p.26/32

63 Kernel - Risks of LKM s An attacker can spoof replies from fstat(2) and gladly tell your file integrity checker that /bsd wasn t replaced before yesterday s reboot. The attacker may insert code to selectively copy some, or all, data accepted on an interface to a file, named pipe, etc. Securing UNIX Hosts from Local Attack p.26/32

64 Kernel - Risks of LKM s An attacker can spoof replies from fstat(2) and gladly tell your file integrity checker that /bsd wasn t replaced before yesterday s reboot. The attacker may insert code to selectively copy some, or all, data accepted on an interface to a file, named pipe, etc. The attacker can modify the cryptographic framework if loaded as a module. This could be disastrous for <insert large number here> reasons! Securing UNIX Hosts from Local Attack p.26/32

65 Kernel - Risks of LKM s An attacker can spoof replies from fstat(2) and gladly tell your file integrity checker that /bsd wasn t replaced before yesterday s reboot. The attacker may insert code to selectively copy some, or all, data accepted on an interface to a file, named pipe, etc. The attacker can modify the cryptographic framework if loaded as a module. This could be disastrous for <insert large number here> reasons! A rootkit may be installed on the system with known signatures for security programs, and attacker-defined ways of faking their requests. Securing UNIX Hosts from Local Attack p.26/32

66 Kernel - Risks of LKM s An attacker can spoof replies from fstat(2) and gladly tell your file integrity checker that /bsd wasn t replaced before yesterday s reboot. The attacker may insert code to selectively copy some, or all, data accepted on an interface to a file, named pipe, etc. The attacker can modify the cryptographic framework if loaded as a module. This could be disastrous for <insert large number here> reasons! A rootkit may be installed on the system with known signatures for security programs, and attacker-defined ways of faking their requests. Oh, so many possibilities! Securing UNIX Hosts from Local Attack p.26/32

67 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Securing UNIX Hosts from Local Attack p.27/32

68 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Requires cryptographic framework to part of the core kernel. Securing UNIX Hosts from Local Attack p.27/32

69 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Requires cryptographic framework to part of the core kernel. Where do the signatures come from? Hopefully not from the same host! Securing UNIX Hosts from Local Attack p.27/32

70 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Requires cryptographic framework to part of the core kernel. Where do the signatures come from? Hopefully not from the same host! Will still be vulnerable if the attacker can backdoor the kernel loader. Securing UNIX Hosts from Local Attack p.27/32

71 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Requires cryptographic framework to part of the core kernel. Where do the signatures come from? Hopefully not from the same host! Will still be vulnerable if the attacker can backdoor the kernel loader. Makes for a much larger kernel. Why bother? Securing UNIX Hosts from Local Attack p.27/32

72 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Requires cryptographic framework to part of the core kernel. Where do the signatures come from? Hopefully not from the same host! Will still be vulnerable if the attacker can backdoor the kernel loader. Makes for a much larger kernel. Why bother? Linux 2.4 provides CAP_SYS_MODULE. Securing UNIX Hosts from Local Attack p.27/32

73 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Requires cryptographic framework to part of the core kernel. Where do the signatures come from? Hopefully not from the same host! Will still be vulnerable if the attacker can backdoor the kernel loader. Makes for a much larger kernel. Why bother? Linux 2.4 provides CAP_SYS_MODULE. StMichael: Monitors init_module and delete_module under Linux 2.2 and 2.4. Securing UNIX Hosts from Local Attack p.27/32

74 Kernel - Combating LKM Insecurities Permit only signed modules to be inserted into the kernel. Requires cryptographic framework to part of the core kernel. Where do the signatures come from? Hopefully not from the same host! Will still be vulnerable if the attacker can backdoor the kernel loader. Makes for a much larger kernel. Why bother? Linux 2.4 provides CAP_SYS_MODULE. StMichael: Monitors init_module and delete_module under Linux 2.2 and 2.4. Do away with LKM s (my vote). Securing UNIX Hosts from Local Attack p.27/32

75 More Security Defenses - Linux Openwall patches are useful for older 2.2 kernels. Builds a non-executable user stack area. Restricts games played in /tmp. Handles file-descriptors 0, 1 and 2 better. Destroys memory segments not in use. Gentoo Linux is now built with gcc 3.2+ProPolice. More development is taking place in Linux to increase the core security, but it is sloooooow. Securing UNIX Hosts from Local Attack p.28/32

76 More Security Defenses - OpenBSD As of 3.2-stable OpenBSD now has a non-executable stack under 5 architectures (i386, sun4m, sparc64, alpha, macppc). Can facilitate systrace(1) and execute applications according to defined policies. Binaries are built with gcc 3.2+ProPolice. Securing UNIX Hosts from Local Attack p.29/32

77 More Security Defenses - FreeBSD FreeBSD can be hardened by implementing the TrustedBSD patches to the core system. Mandatory access control modules and access control lists for files/filesystems permit more granular security policies to be imposed system-wide. Improved privilege structures will assist in reducing the amount of privileges required to run applications. While the TrustedBSD work doesn t apply directly to FreeBSD, much of the work is back-ported to FreeBSD. Securing UNIX Hosts from Local Attack p.30/32

78 Conclusion Contribute security related code to open-source movements. Take base system tools and improve them. Write your own advancements for UNIX, Hint: It would be nice to have kernel functions that deny access to any files... Hint: Re-engineering isn t necessarily a bad thing... Securing UNIX Hosts from Local Attack p.31/32

79 Thank You Thanks for your time. For security related help contact For incident related help, contact Questions of comments are welcome! Contact me at Visit us on the Web at < Securing UNIX Hosts from Local Attack p.32/32