Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Transcription

1 Unix Security Technologies Pete Markowsky <peterm[at] ccs.neu.edu>

2 What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make computer security more tangible Introduce you to a plethora of tools They are Not: To teach you how to crack / hack specific software To teach you the depths of win32 programming

3 Prerequisites You ll want: Some knowledge of the C programming language To have taken Computer Organization A general knowledge of TCP/IP

4 Expectations Two types of assignments Expected -- programs / tools Bonus -- more code samples for fun No grades but it ll help if you play with the expected exercises

5 Syllabus Week 1: Introduction to Software Vulns Week 2: Host Security measures (stack) Week 3: More Host Security measures Week 4: Network Monitoring Tools Week 5: Honeypots & Honeynets Week 6: Intrusion Detection and Prevention

6 Disclaimer The material discussed here can be used to attack, services and other programs. Do not use the techniques discussed here without first gaining permission to do so. Failure to do so can result in serious fines and jail time. Consider yourself warned

7 Today s Class Is background for the rest of the class What is security? What is a security technology? Disclosure Software Vulns

8 Vocab Vulnerability -- is defined as a defect in software that could lead to compromise or other misuse of software Exploit -- is code to take advantage of a vulnerability

9 The Problem As we become more connected more people have access to our resources Not all of them are friendly

10 Security is About preventing compromises Prevention eventually fails About mitigating the effects of a compromise Probabilistic / not absolute The process of maintaining an acceptable level of risk

11 Not If But When Around 2000 expected time until compromise for red hat 7.0 box 72 hours Fastest Compromise Time of a Honeypot 15 minutes (Human) 90 seconds (worm)

12 Security Technologies For the purposes of this class are: Security related software Tools Patches Mechanisms Could also be any hardware solutions

13 Disclosure What should I do if I find a vulnerability? This is an ethical question Rain Forest Puppy s Essay on disclosure

14 Disclosure I believe you should Contact the vendor politely Explain to them in detail the problem Allow them a grace period before you release information Disclose information to a list such as bugtraq

15 Attacker Methodology Many attacks go through the following stages Probe Port scanners Enumerate Service Scanners / banner grabbing Penetrate exploits Persist Rootkits

16 A Few Categories of Software Vulns Buffer Overflows Stack based overflows Return to libc Heap based overflows Directory Traversal Race Conditions SQL Injection Information Disclosure

17 Buffer Overflows The idea: Stuff more stuff into a buffer than the size of the buffer Are Still in a lot of software Are the most studied security software bug

18 Virtual Memory Virtual Memory is used to Allow for the most efficient use of main memory Allow for a program to use more memory than physically on the machine Provide a uniform address space to each process

19 What is a Process? A process is a program that has been loaded into memory Is an abstraction of a running program Contains multiple segments Text -- your code BSS -- zeroed variables (not always used) Stack -- local / automatic variables Heap -- dynamic memory Data -- global variables etc.

20 What Does a Process Look Like in Memory?

21 What is a Buffer? A buffer is a contiguous block of computer memory that holds multiple instances of the same data type. Most often known as an array

22 What s wrong with this Code? #include <stdio.h> int main (int argc, char **argv) { char string [500]; if(argc < 1) strcpy(string, argv[1]); return 0; }

23 Quick Review of Function Calling What does a function call look like in asm? Two parts Preamble: push arguments on to the stack in reverse order pushl $3 pushl $2 pushl $1 call function

24 Stack

25 Stack Overflows The idea: Overwrite the return address stored on the stack with the address of code you want to run Often the address of the buffer with your code

26 Executing Code from the Stack Any code from the stack has to be assembly Usually has to be free of NULL characters Conform to the characteristics of the hardware platform 0x <main+0>: push %ebp 0x <main+1>: mov %esp,%ebp 0x <main+3>: sub $0x218,%esp 0x d <main+9>: and $0xfffffff0,%esp 0x080483a0 <main+12>: mov $0x0,%eax 0x080483a5 <main+17>: sub %eax,%esp

27 What Do You Run? Often code used in exploitation is a system call to run a shell Processes inherit their parents attributes This includes permissions

28 Exploitation Problems How can an attacker locate the address of their code? If you miss the start of your code it won t work Strings have to be null terminated Trial and Error Though you can improve you chances by placing NOPs at the beginning of your code Jump and Call

29 NOP sleds NOPs are instructions that tell the processor don t do anything Often used to align operations to word boundaries When placed in buffer execution follows from the NOPs to the shellcode

30 Preventing the Stack Problem How could we prevent our program from being exploited? Check boundaries (strncpy) Use a different language Non-executable stack

31 Return to libc Fake a function call by corrupting the stack You simply set the stack up to look like a function was called By Passes Non-executable stacks

32 Heap Overflows The heap Dynamic Memory is allocated here The heap is a dynamic structure It contains control structures Is resized via the (s)brk system calll

33 Malloc malloc built on top of brk system call Avoids fragmentation Contains control structures in band Linked list / tree malloc

34 Heap Overflows The general idea is to overwrite the control structures used by malloc Sometimes create your own chunk Are much harder than stack overflows w00 w00 paper

35 Directory Traversal Sometimes a program will interact with a file system taking the path from the user Improper validation allows the user to specify which file is used Examples IIS 5.0 directory traversal Solaris Kernel module loading

36 Race Conditions Occurs when an unexpected ordering of events produces contention over the same resource. Quite literally a race Example: Temp files and symlinks

37 Race Conditions

38 SQL injection Improper input validation in applications communicating with a SQL This allows a user to alter the SQL query Example: select user from usernames where password = pass Could become select user from usernames where password = or 1=1 This would evaluate to true

39 Information Disclosure Tricking a program into giving you information about it or other details of the system Examples Mac OS X at vulnerability

40 Assignments Exploit the example code shown earlier Just spawn a shell /bin/sh no root privs You can write code for this in any language you want Hint: Read Smashing the Stack By Aleph1 Read Rain Forest Puppy s disclosure essay Bonus: