Unix Security Technologies Pete Markowsky <peterm[at] ccs.neu.edu>
What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make computer security more tangible Introduce you to a plethora of tools They are Not: To teach you how to crack / hack specific software To teach you the depths of win32 programming
Prerequisites You ll want: Some knowledge of the C programming language To have taken Computer Organization A general knowledge of TCP/IP
Expectations Two types of assignments Expected -- programs / tools Bonus -- more code samples for fun No grades but it ll help if you play with the expected exercises
Syllabus Week 1: Introduction to Software Vulns Week 2: Host Security measures (stack) Week 3: More Host Security measures Week 4: Network Monitoring Tools Week 5: Honeypots & Honeynets Week 6: Intrusion Detection and Prevention
Disclaimer The material discussed here can be used to attack, services and other programs. Do not use the techniques discussed here without first gaining permission to do so. Failure to do so can result in serious fines and jail time. Consider yourself warned
Today s Class Is background for the rest of the class What is security? What is a security technology? Disclosure Software Vulns
Vocab Vulnerability -- is defined as a defect in software that could lead to compromise or other misuse of software Exploit -- is code to take advantage of a vulnerability
The Problem As we become more connected more people have access to our resources Not all of them are friendly
Security is About preventing compromises Prevention eventually fails About mitigating the effects of a compromise Probabilistic / not absolute The process of maintaining an acceptable level of risk
Not If But When Around 2000 expected time until compromise for red hat 7.0 box 72 hours Fastest Compromise Time of a Honeypot 15 minutes (Human) 90 seconds (worm)
Security Technologies For the purposes of this class are: Security related software Tools Patches Mechanisms Could also be any hardware solutions
Disclosure What should I do if I find a vulnerability? This is an ethical question Rain Forest Puppy s Essay on disclosure
Disclosure I believe you should Contact the vendor politely Explain to them in detail the problem Allow them a grace period before you release information Disclose information to a list such as bugtraq
Attacker Methodology Many attacks go through the following stages Probe Port scanners Enumerate Service Scanners / banner grabbing Penetrate exploits Persist Rootkits
A Few Categories of Software Vulns Buffer Overflows Stack based overflows Return to libc Heap based overflows Directory Traversal Race Conditions SQL Injection Information Disclosure
Buffer Overflows The idea: Stuff more stuff into a buffer than the size of the buffer Are Still in a lot of software Are the most studied security software bug
Virtual Memory Virtual Memory is used to Allow for the most efficient use of main memory Allow for a program to use more memory than physically on the machine Provide a uniform address space to each process
What is a Process? A process is a program that has been loaded into memory Is an abstraction of a running program Contains multiple segments Text -- your code BSS -- zeroed variables (not always used) Stack -- local / automatic variables Heap -- dynamic memory Data -- global variables etc.
What Does a Process Look Like in Memory?
What is a Buffer? A buffer is a contiguous block of computer memory that holds multiple instances of the same data type. Most often known as an array
What s wrong with this Code? #include <stdio.h> int main (int argc, char **argv) { char string [500]; if(argc < 1) strcpy(string, argv[1]); return 0; }
Quick Review of Function Calling What does a function call look like in asm? Two parts Preamble: push arguments on to the stack in reverse order pushl $3 pushl $2 pushl $1 call function
Stack
Stack Overflows The idea: Overwrite the return address stored on the stack with the address of code you want to run Often the address of the buffer with your code
Executing Code from the Stack Any code from the stack has to be assembly Usually has to be free of NULL characters Conform to the characteristics of the hardware platform 0x08048394 <main+0>: push %ebp 0x08048395 <main+1>: mov %esp,%ebp 0x08048397 <main+3>: sub $0x218,%esp 0x0804839d <main+9>: and $0xfffffff0,%esp 0x080483a0 <main+12>: mov $0x0,%eax 0x080483a5 <main+17>: sub %eax,%esp
What Do You Run? Often code used in exploitation is a system call to run a shell Processes inherit their parents attributes This includes permissions
Exploitation Problems How can an attacker locate the address of their code? If you miss the start of your code it won t work Strings have to be null terminated Trial and Error Though you can improve you chances by placing NOPs at the beginning of your code Jump and Call
NOP sleds NOPs are instructions that tell the processor don t do anything Often used to align operations to word boundaries When placed in buffer execution follows from the NOPs to the shellcode
Preventing the Stack Problem How could we prevent our program from being exploited? Check boundaries (strncpy) Use a different language Non-executable stack
Return to libc Fake a function call by corrupting the stack You simply set the stack up to look like a function was called By Passes Non-executable stacks
Heap Overflows The heap Dynamic Memory is allocated here The heap is a dynamic structure It contains control structures Is resized via the (s)brk system calll
Malloc malloc built on top of brk system call Avoids fragmentation Contains control structures in band Linked list / tree malloc http://gee.cs.oswego.edu/dl/html/malloc.html
Heap Overflows The general idea is to overwrite the control structures used by malloc Sometimes create your own chunk Are much harder than stack overflows w00 w00 paper http://www.w00w00.org/files/articles/heaptut.txt
Directory Traversal Sometimes a program will interact with a file system taking the path from the user Improper validation allows the user to specify which file is used Examples IIS 5.0 directory traversal Solaris Kernel module loading
Race Conditions Occurs when an unexpected ordering of events produces contention over the same resource. Quite literally a race Example: Temp files and symlinks
Race Conditions
SQL injection Improper input validation in applications communicating with a SQL This allows a user to alter the SQL query Example: select user from usernames where password = pass Could become select user from usernames where password = or 1=1 This would evaluate to true
Information Disclosure Tricking a program into giving you information about it or other details of the system Examples Mac OS X at vulnerability
Assignments Exploit the example code shown earlier Just spawn a shell /bin/sh no root privs You can write code for this in any language you want Hint: Read Smashing the Stack By Aleph1 Read Rain Forest Puppy s disclosure essay Bonus: http://www.vodun.org/papers/cpu/class1/