View
6.665
Download
3
Category
Tags:
Preview:
DESCRIPTION
PHP is rapidly becoming - if not already - the defacto-standard for Web application development and deployment. Writing PHP applications that accurately enforce your security policies requires knowledge of the general architecture of PHP as well as the i5/OS specific components of the architecture.
Citation preview
helping business manage the security equation™
I5/OS Securityin a PHP World
Patrick BotzVP, Security ConsultingGroup8 Security, Inc.
www.group8security.com
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Agenda
• What to Protect• Implementation• PHP Resources• Native Resources
• How to Protect
• Architecture
• Web Server
• PHP Core Components
• Native Resources
• IFS
i5/OS Security in a PHP World
helping business manage the security equation™
What to Protect
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
PHP Just Another Interface
Non-PHP Specific Information Assets
PHP
I5/OSODBC FTP
TelnetEtc…
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Food For Thought
PHP is another interface to i5/OS – Just like ODBC, FTP, and Telnet are interfaces to i5/OS!
i5/OS resources need to be protected properly independent of PHP
No “exit points” for PHP
Limited capabilities do not apply!
Exclusionary Access Control (EAM) Required Normal user profiles NOT allowed to access data directly e.g. PUBLIC *EXCLUDE
i5/OS PHP architecture lends itself towards easy implementation in (EAM environment)
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Native i5/OS
PASE (AIX)
i5/OS PHP Architecture
Apache Web
Server
Apache Web
Server
PHP Core Engine
i5os_*()
db2_*() Native Database
Native Resources
PHP AdminTools
1
2
34
5
6
7
IFS
5 I5_COMD Process
Remote Database
8
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
What to Protect
ALL Information Assets on System!Not just PHP resources
PHP Implementation (PHP components, directories, stream files, programs, libraries, objects, user profiles)
External Access Point(s)
Focus on Seams!!! (i.e. white arrows)
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
From Whom to Protect
Bad GuysBad Guys(gender neutral)(gender neutral) on on InternetInternet
Bad GuysBad Guys(gender neutral)(gender neutral) on on IntranetIntranet
i5/OS Security in a PHP World
helping business manage the security equation™
Protecting the PHP Implementation/Environment
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Native i5/OS
PASE (AIX)
i5/OS PHP Architecture
Apache Web
Server
Apache Web
Server
PHP Core Engine
i5os_*()
db2_*() Native Database
Native Resources
PHP AdminTools
1
2
34
5
6
7
IFS
5 I5_COMD Process
Remote Database
8
i5/OS Security in a PHP World
ZendcoreZendcore
/usr/local/zend/usr/local/zend/www.zendcore/www.zendcore
NOBODYNOBODY NOGROUPNOGROUP
ZENDADMINZENDADMINZENDTECHZENDTECH
PHPWEBUSRPHPWEBUSR
PUBLIC *EXCLUDEPUBLIC *EXCLUDE
Access Rights
Execution Rights
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
User Profiles With Distribution
NOBODY NOBODY PHP Apache Web server ZEND core jobs (ZENDCOREAP)Group = NOGROUPSpecial authorities = *NONE
ZENDADMINZENDADMINStart/stop jobs in ZEND subsystemPseudo number random generator for encryption related servicesGROUP = *NONE*ALL special authorities.
ZENDTECH ZENDTECH Update PHP configurationGROUP = *NONE Special authorities = *NONE
NOGROUPNOGROUPIs a GROUP profileUse this profile to grant access – not “NOBODY” user profile
NOTE: PASE UserIDs Equivalent to i5/OS User Profiles
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
User Profile to Consider
PHPWEBUSRPHPWEBUSR
Configure native Apache Web server to run under a dedicated user profileSpecial Authorities = *NONEGroup = *NONE
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Native i5/OS
PASE (AIX)
i5/OS PHP Architecture
Apache Web
Server
Apache Web
Server
PHP Core Engine
i5os_*()
db2_*() Native Database
Native Resources
PHP AdminTools
1
2
34
5
6
7
IFS
5 I5_COMD Process
Remote Database
8
i5/OS Security in a PHP World
ZendcoreZendcore
/usr/local/zend/usr/local/zend/www/zendcore/www/zendcore
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
/www/zendcore /www/zendcore/*
Contains the i5/OS Web server configuration files and application resources.
Access Control ObjectivePUBLIC *EXCLUDE
/www/zendcore/www/zendcore/*
PUBLIC *X or *USE/www*EXCLUDE if no other web apps or other web apps permit
i5/OS Web server user profile may need *R (i.e. “r—”) to same directories
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
/usr/local/zend /usr/local/zend/*
Contains the PHP Web server and PHP core config files and application resources.
Access Control ObjectivePrevent anyone other than PHP administrators from accessing (not to mention changing) configuration files/resources
PUBLIC *EXCLUDE /usr/local/zend/usr/local/zend/*
PUBLIC *USE/usr/usr/local
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
ZENDCORE Library/Objects
Contains administrative tools/functionsConfigureStart/Stop
Access control objectivePrevent anyone other than PHP administrators from Protect PROGRAMS that adopt QSECOFR
PUBLIC = *EXCLUDE
Consider using ZENDADMIN and ZENDTECH as group profilesPHP administrator profiles should be a member of one or the other.
i5/OS Security in a PHP World
helping business manage the security equation™
Configure Web Server Security
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Native i5/OS
PASE (AIX)
i5/OS PHP Architecture
Apache Web
Server
Apache Web
Server
PHP Core Engine
i5os_*()
db2_*() Native Database
Native Resources
PHP AdminTools
1
2
34
5
6
7
IFS
5 I5_COMD Process
Remote Database
8
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Web Server Security
Native I5/OS Web server acts as “mirror” for PHP Web serverNative I5/OS Web server acts as “mirror” for PHP Web server• Port 89• All requests to i5/OS server changed to requests to PHP server• All responses from PHP server changed to responses from i5/OS server
PHP Web serverPHP Web server• Localhost (127.0.0.1)• Port 8000
RecommendationsRecommendations• Use reverse proxy in your DMZ• Buffer Overflow Considerations• Use SSL Connections• Run i5/OS Web server under “dedicated” user profile (e.g.. PHPWEBUSR)
i5/OS Security in a PHP World
helping business manage the security equation™
Programming Practices
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Native i5/OS
PASE (AIX)
i5/OS PHP Architecture
Apache Web
Server
Apache Web
Server
PHP Core Engine
i5os_*()
db2_*() Native Database
Native Resources
PHP AdminTools
1
2
34
5
6
7
IFS
5 I5_COMD Process
Remote Database
8
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Programming Practices
i5_*() APIsConnection managementCommand calls*Program calls*Data retrieval*Native file access*System values*Data areasPrint and working with spool filesJob logsActive jobsObject listUser spaceData queue
db2_*() APIsServer/ConnectionResultCommit/RollbackFetchField InformationKey InformationStatementErrorsColumn/ProcedureTable Information
i5/OS Security in a PHP World
If you run with PUBLIC *USE or *ALL, you make it SIGNIFICANTLY easier for If you run with PUBLIC *USE or *ALL, you make it SIGNIFICANTLY easier for an internal or external attacker to directly and indirectly access sensitive data!an internal or external attacker to directly and indirectly access sensitive data!
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
PHP Program File Management
Exclusionary access control only viable model!Exclusionary access control only viable model! PUBLIC = EXCLUDE, or other = “---” For everything related to PHP! Give nobody or other service user profile read or write where necessary
Put PHP scripts/programs for separate functions in separate directoriesPut PHP scripts/programs for separate functions in separate directories E.g. /www/php/pgm1, /www/php/pgm2, /www/pgm3, /www/pgm/common
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Programming Practices
i5_connect() API. resource i5_connect(string server, string user, string password[, array options]).
Return Values: i5/OS connection resource or false on failure.
Arguments:server - Name of the server to connect to. Can be either a symbolic name or an IP.
Note: The system name can only be localhost or 127.0.0.1.
user - Username to use for connecting.Note: If no user or password is provided, the connection will be established
under NOBODY user profile.Note: Username QSECOFR cannot be used in this function.
password - Password for the usernameoptions – Miscellaneous connection options.
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Programming Practices
Change i5cmd process to run under supplied user profile for this Change i5cmd process to run under supplied user profile for this connectionconnection
i5_adopt_authority() APIi5_adopt_authority() APIbool i5_adopt_authority(string username, string password, [resource connection]).Return Values:
Boolean success value.Arguments:
username - Name of the user to change topassword - Password for the userconnection - Connection - result of i5_connect
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Protecting Database Files
db2_connect("","","")Connects to the database on the PHP host system as user profile *NOBODY.Note: When no userID/password provided, connection runs in the same process/job
as PHP core!Otherwise the connection runs in a separate pre-started job.
db2_connect("*LOCAL","SOMEUSER","PASSWORD")Connects to database on system on which PHP core engine is running as user profile SOMEUSER.
db2_connect("10.1.2.15","SOMEUSER","PASSWORD")Connects to remote database at 10.1.2.15 as user profile SOMEUSER.
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Protecting Database Files
db2_connect("","","")resource i5_connect(string server, string user, string password[, array options]).Return Values: i5/OS connection resource or false on failure.Arguments:server - Name of the server to connect to. This can be either a symbolic name or an IP.
Note: The system name can only be localhost or 127.0.0.1.
user - Username to use for connecting.Note: If no user or password is provided, the connection will be established under
NOBODY user profile.Note: Username QSECOFR cannot be used in this function.
password - Password for the usernameoptions - Connection options
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Protecting Database Files
resource db2_exec ( resource connection, string statement [, array options]Return values:Statement resource if the SQL statement was issued successfully, orFALSE if the database failed to execute the SQL statement.
Arguments:connection
A valid database connection resource variable as returned from db2_connect() or db2_pconnect().
statementstatementAn SQL statement. The statement cannot contain any parameter markers.
options
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Protecting Database Files
Protect against SQL Injection Attacks!!!!!
Statement Statement parameter – most important parameter to validate!!!! An SQL statement. The statement cannot contain any parameter markers.
InsteadInstead of db2_exec()
Use db2_prepare() db2_prepare() with db2_bind_parm ()db2_bind_parm () and db2_execute()db2_execute()
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Protecting Database Files
db2_prepare() APIThis API creates a prepared SQL statement which can include parameter markers (?
characters). resource db2_prepare ( resource connection, string statement [, array options] )Result value:
Returns a statement resource used as input to the db2_execute() and db2_bind_param() APIs.
Arguments:Connection
A valid database connection resource variable as returned from db2_connect() or db2_pconnect().
StatementAn SQL statement, optionally containing one or more parameter markers.
options
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Parameter Validation
Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!
Do ROBUST parameter validation in your PHP code!
Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!
Do ROBUST parameter validation in your PHP code!
Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!
Do ROBUST parameter validation in your PHP code!
Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Parameter Validation Examples
A (very) Few Examples of Parameter ValidationA (very) Few Examples of Parameter Validation
Password variables>= QPWDMINLEN<= QPWDMAXLEN
UserID names<= 10 charactersNo special characters
SQL Search TextDoes not include ANY special characters or SQL operators
i5/OS Security in a PHP World
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Parameter Validation Examples
A (very) Few Examples of Parameter Validation (cont.)A (very) Few Examples of Parameter Validation (cont.)
Miscellaneous variablesMiscellaneous variablesReasonable lengths for pathnamesReasonable parent directory pathnames for file specificationsSelected item from list is a member of selection list provided
Avoid text input fields when/wherever possible!Avoid text input fields when/wherever possible!Use selection lists instead
Avoid asking end-user for userID/passwordAvoid asking end-user for userID/passwordRun under NOBODYConsider hardcoded userID and looking up password (VLDL entry?)
i5/OS Security in a PHP World
helping business manage the security equation™
Summary
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
Summary
Like other external interfaces (e.g.. ODBC, FTP, Telnet, TFTP, etc.) to Like other external interfaces (e.g.. ODBC, FTP, Telnet, TFTP, etc.) to i5/OS, the PHP implementation and usage needs to be protected in order i5/OS, the PHP implementation and usage needs to be protected in order to protect: to protect:
Information resources associated with PHP applications Information resources associated with other non-PHP applications on the same
system
ProtectProtect ZENDCORE Library /www/zendcore /usr/local/zend PHP application directories
Use exclusionary access control model on your whole systemUse exclusionary access control model on your whole system
Use smart programming practices to prevent exposuresUse smart programming practices to prevent exposures
PHP Security for i5/OS
© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™
The following terms and marks are trademarks of Group8 Security, Inc.:
Security=f(cost,risk)Managing the Security EquationHelping Business Manage the Security Equation
Other company, brand and product names are trademarks or registered trademarks of their respective holders.
Information is provided “AS IS” without warranty of any kind. All examples described are presented as illustrations of how customers have used Group8 recommendations, products or services and are the results they may have achieved. Actual results may vary by customer. Information concerning non-Group8 products or services was obtained from a supplier of these products, published announcement materials, or other publicly available sources and does not constitute an endorsement of such products by Group8.
Group8 Security, Inc. is an independent company. It does not receive or accept any form of payment for recommending other company’s products. We recommend products of which we are aware and with which we have at least some understanding or experience. We encourage Customers to conduct their own product evaluations and select a product they believe will meet their requirements.
Copyright Group8 Security, Inc. 2007-2008. All rights reserved.
i5/OS Security in a PHP World
Trademark & Disclosure Statements
ABOUT GROUP8 SECURITY:
At Group8, we believe that IT security is first and foremost a business issue. It has technical aspects but is not inherently a technical problem. Security is something a company does, not something they have or can buy.
Our mission is to partner with you to help define, implement, and manage your security. We'll do this by helping you establish and manage business processes that lead to sound IT security business decisions. Together we'll define security objectives in terms of business requirements, and make technical decisions based on costs and return on investment as well as the effectiveness of the technical measures employed to enforce business objectives.
Group8 Security, Inc. 4790 Caughlin Pkwy, Suite 398 Reno, NV 89519-0907 Tel: 775-852-8887 www.group8security.com
ABOUT THE SPEAKER:
Pat Botz heads up security consulting for Group8, bringing his extensive experience in system security planning to our customers.
Prior to joining Group8, Pat served as the Lead Security Architect and Team Leader for the IBM, working on some of the most widely used midrange servers is the business world with a focus on authentication, authorization, auditing, and ease of use. Following his work on System i and the IBM Virtualization Engine, Pat founded the IBM Lab Services security consulting practice with a primary focus on helping customers meet various industry regulations such as SOX, PCI DSS, and SAS 70. He additionally worked to help customers improve the effectiveness and efficiency of their current security management processes, assisting them with moving to exclusionary access control models, eliminating passwords in various environments, managing User IDs, implementing encryption, and auditing on various platforms.
Pat is co-author of the book /Expert’s Guide to OS/400 and i5/OS Security/, and has published numerous articles in the trade press and IBM magazines. He is also a noted worldwide security conference speaker, presenting at various conferences and in webcasts including COMMON, IBM Technical Conference, various user groups, St. Cloud State University Security conference, and IBM Business Partner conferences.
Recommended