Embed Size (px)
Citation preview
Computer Securityset of slides 9
Dr Alexei Vernitski
Description of a rootkit• The software targeted a range of vulnerabilities in the Java programming
language, Adobe's Flash media player, Windows software and PDF files. It had two ways of doing this:– adding malicious code to hundreds of thousands of legitimate websites, which then
copied malware to visitors computers– creating links in spam messages to specially created sites that infected PCs
• The sites downloaded malware. Among the malware downloaded was:– fake anti-virus software that falsely claimed the PC was infected and urged the user
to pay a fee to remove viruses– Trojans that attempted to steal financial records stored on the PC– the ZeroAccess rootkit, which downloaded other software that hijacked the PC for
use in a botnet - a facility used to overwhelm websites with traffic and force them offline
– key loggers that took a record of what was typed on the PC– ransomware that attempted to blackmail the PC owner
• http://www.bbc.co.uk/news/technology-24456988
Example of ransomware
• http://readwrite.com/2013/11/08/cryptolocker-prevent-remove-eradicate
Vulnerabilities in programs
• For example:• Cross-site Scripting (XSS)• SQL Injection• Buffer Overflow• Improper authorizationhttp://www.sans.org/top25-software-errors/
SQL Injection
• This is another common type of program vulnerability
• A good paper on SQL injection:http://www.unixwiz.net/techtips/sql-injection.html
SQL Injection – example
• Example:SELECT *FROM employeesWHERE employeeID=idToQuery;
• Where idToQuery is a parameter entered by the user
SQL Injection – example
• If the user enters input such as 1 OR 1=1, the query returns all employees instead of one:
• SELECT *FROM employeesWHERE employeeID=1 OR 1=1;
Buffer overflow: an example
• Exploit:Win32/MS04028!jpeg uses a specially crafted image file (.JPG) that exploits a vulnerability in Microsoft Office programs. The exploit could cause a buffer overrun leading to the execution of arbitrary code.
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Exploit:Win32/MS04028!jpeg
Buffer overflow
• Some functions do not check the size of their input
• Examples are (in C)– gets()– scanf()– strcpy()– strcat()
Buffer overflow• It is a program where more data can be put into a buffer (e.g. an array) than is
safe, for example in C this could be:#include <stdio.h>int main(int argc, char* argv[]) {// allocate a buffer of a fixed lengthchar buffer[512];// copy the first command line argument into bufferstrcpy(buffer,argv[1]);printf("%s\n",buffer);}
• The example program takes the first command line argument passed to it, copies it into buffer and then prints it out.
• This program works fine for most short input strings (less then 511 chars.)• but as no “bounds” checking is done in the strcpy() function, if more than 511
characters are passed in arg[1] strange things may happen.
Buffer overflow
• The most important type of buffer overflow is the stack overflow
• The best paper on buffer overflow:http://insecure.org/stf/smashstack.html
• The cause of the problem is that the return address and the space for local variables (which potentially can contain user’s data) are placed in the areas of memory which are next to each other.
• thus, the string passed to program will: contain the exploit code, be slightly larger than the vulnerable buffer, and the extra bytes will have the address of the exploit code instead of the original function return address
How attacker actually uses a buffer overflow exploit
• The largest security risk is for programs that take user data but operate at a different privilege level (or as a different user) than the user that calls them. For example:– a “setuid” (or RunAs in WinNT) program (as discussed later in the lecture) has a high
risk. Such programs are often made “setuid” so that a user can access the hardware. A local user that uses an exploit to gain a root shell is often said to “escalate privileges”.
– the operating system itself may have a buffer overflow (or similar problem) so ordinary programs may be made to execute arbitrary code. This is effectively the same as running code as the system administrator so it is one of the biggest problems.
– a server often operates as a particular user ID. A remote attacker may use a buffer overflow exploit to run arbitrary programs as the server. For example the attacker could delete files that the server owns or change the files, this is often done to “deface” websites. In this case the attacker only gains access with the same privileges as the server and this is why it is important that a server is given its own user ID that has lower privileges than the administrator (or root) account.
For discussion
• How difficult is it for an attacker to find out whether a program is vulnerable to buffer overflow?
• Why do programmers keep using the functions that may lead to buffer overflow?
Security in operating systems
• There are many “objects” that an OS needs to control access to:– Memory– File read/write access– Ability to list contents of file directories– Right to execute program– Hardware devices– Operating system data– Access to privileged instructions– Security settings (e.g. passwords)
Operating systems: security methods
• “Objects” are protected by separation (data, computing resource etc.):– physical: e.g. use different network interfaces for public/internal
connections– temporal: run different processes needing different security
requirements at different times e.g. do not allow users to be logged on to a system while essential security updates being performed
– logical: operating system limits access to resources depending upon a configured set of permissions. In the extreme case the OS creates a constrained “sandbox” where processes have a very limited view of the rest of the operating system (more on this later)
– cryptographic: processes conceal their data so that they are unintelligible to other (non-authorised) processes.
Sharing resources• All or nothing: a resource is defined as either public or private (for
example, files on Moodle). • With access limitations: each resource has configured accessibility
options (e.g. file permissions by ownership and other users allowed to have access according to specific configuration)
• By capabilities: allows dynamic sharing rights to be created, for example a user can be part of a “print users group” and is automatically given rights when a new printing resource is added (subtly different but related to last case)
• With limited use: objects can be given limitation after they have been accessed. For example an Acrobat Reader Document (PDF) can be set up to allow a user to download the file and read it but not print it.
Access control
• Method typically used: Access control list (ACL)– Each object (e.g. file) has an access list associated with
it (it could be stored as part of the filesystem for a file).– Each access list contains entries for users and the rights
that each user has– each access list entry may contain a single user or
sometimes an OS has the concept of a group (a number of users given a common name)
– This is a very flexible approach (and efficient) and so is often used
ACL Ownership
• One common concept of practical ACLs is that each object has a notion of ownership, the owner can control access to the object, including the right to give others the right to control access to the object
• Command ls -l (in Unix/Linux)• To view the ownership of files/directories
• Command ps –aux (in Unix/Linux) • To view the ownership of processes
Example: ACL in Linux
• What three levels of access to a resource exist in Linux?
• What three types of access (known as r,w,x) exist in Linux?
• How can you check them using the ls command?• How can you change the access rights using the
chmod command? Who can use chmod?• For discussion: why is it useful to have separate
‘read’ and ‘execute’ bits for a directory?
For discussion
• Will this work?• Assuming that you have read permissions to the file and
write permissions to the directory then you can take ownership of a file...
mv $FILE $FILE.tmp cp $FILE.tmp $FILE rm $FILE.tmp
...so you can now chmod it!• From:
http://www.tek-tips.com/viewthread.cfm?qid=490296
Windows ACL implementation• Each directory or file has a large list of permissions that can be
individually tailored for each user or group:– Traverse folder/execute file– List folder/read data– Read attributes– Create files/write data– Create folders/append data– Write attributes– Read permissions– Change permissions– Delete subfolders/files– Take ownership– Synchronise
Sandboxing in Windows 8• By default, each app can only read from and write to its own private
storage area. If the app needs to do anything more than this—access the Pictures library, say, or connect to the network as either a client or a server—it must explicitly indicate that it needs these extra capabilities in something called a manifest. This prevents apps from being able to read each other's files, documents that you haven't explicitly granted them permission to read, and so on. This serves two purposes; it helps safeguard user privacy, instilling greater confidence in apps downloaded from the store, and it also reduces the impact of security flaws in those apps.
• These sandboxes are enforced by a new Windows 8 feature called AppContainers, which in turn builds on a feature introduced in Windows Vista, called integrity levels.
• http://arstechnica.com/information-technology/2012/10/better-on-the-inside-under-the-hood-of-windows-8/
For discussion
• A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered
• The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone.
• Android uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. Mr Forristal and his colleagues have found a method of tricking the way Android checks these signatures so malicious changes to apps go unnoticed.
• http://www.bbc.co.uk/news/technology-23179522
ACL groups• It is common practice to use groups with ACLs. • In Unix(Linux) it is a fundamental part of the filesystem that
files/directories have user and group ownership. This allows a certain amount of “leakage” of permissions in a controlled manner. If there are a group of similar files that a group of people need access to then it is usual for a group to be created and the files to be given group ownership. Groups can be created for common tasks (e.g. users that need access to hardware resources like printers/scanners) or to suit organisational needs (e.g. all users in a division needing file access for a project).
• In Windows there is a very complex set of ACL possibilities. Groups can be defined as for Unix(Linux) and have similar uses. However:
• In Unix/Linux a file/directory can only have one user and group owner to control access; under Windows systems many users or groups can have individual tailored access permissions
Process based security (runas, setuid)
• What is setuid (in Linux)? Is it a command? Who can control setuid?
• What is setgid?• Windows systems have a similar feature
RunAs: this allows a program to be run as another user (after supplying suitable passwords etc.)
Access rights in Linux
• What does the command su does?• What does the command passwd does?• What are the possible security issues with su,
passwd and setuid?• What do the commands chown, chgrp do?
A common route of attack on access control methods
• Assuming that the authentication method (password etc.) has not been completely compromised attackers often try to circumvent the access control methods:
• first attackers gain access through “some means” to some low privilege account
• attackers use the low privilege account to search the operating system for clues:– user accounts that do not have passwords (e.g. root in Unix/Linux, guest or
administrator in WinNT systems)– system setting files that are “world” readable and look inside them for flaws in
the computer configuration that might give higher level access– programs that have known flaws – programs that run as a more privileged user (e.g. under Unix programs with
setuid)– use information gained to change to a user ID with higher privileges
Protection from attacks on access control
• Make sure the authentication methods are not compromised (e.g. The passwords are not known for any users) – more on this in next section.
• Only give users rights to objects that they really need: limit the file permissions to only those necessary (e.g. in Unix/Linux limit read permission on the files below the /etc/ directory or in WinNT systems in the /WinNt or System folders); only allow a limited set of users access to privileged accounts;
• frequently check files for weak permissions• encrypt important files/data under different schemes than the main system
security• do not allow any setuid programs under Unix (these are programs where the
security is under the control of the software writer, not the system administrator, and with many open source programs anyone can look for flaws to use)
• run server programs in a limited “sandbox” environment (e.g. chroot on Unix)• I make sure that server programs started by a privileged account change to a
lower privileged account as soon as possible after starting
Types of vulnerabilities
• Vulnerable application software or operating system components: the software has a “bug” or “trapdoor/backdoor” that poses a threat (e.g. a buffer overflow)
• Configuration errors: apply to programs or operating system features that in normal operation are quite safe but if improperly configured can be a threat
• Software or data that is “infected”: trojans, worms, viruses etc.
Vulnerable application/OS software: fixing
Once the vendor has discovered there is a fault it can be fixed in a number of ways:
• workaround: there may be a way that the software or OS component can be configured such that the vulnerability it removed, e.g. Disconnecting from the network stops any network based vulnerability (but may not be very helpful in fixing it in the long term!)
• patch: a fix may be made to an existing file such that the vulnerability is removed.
• upgrade: vendors are constantly working on upgrades to their software. Sometimes a planned software upgrade fixes the problem so a vendor may push for an early release to fix the problem (and if they are too quick introduce a whole new set of problems!). An upgrade may simply be a collection of patches made since the last proper release.
For discussion
• A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April.
• Exploit code already in circulation first uses a vulnerability to gain access the restricted sun.awt.SunToolkit class before a second bug is used to disable the SecurityManager, and ultimately to break out of the Java sandbox.
• Unpatched vulnerabilities to the so-called Gondvv exploit were introduced in Java 7.0, released in July 2011. All versions of Java 7 are vulnerable but older Java 6 versions appear to be immune.
http://www.theregister.co.uk/2012/08/30/java_zero_day_latest/
For discussion• A potent Java security vulnerability that first appeared earlier this week
actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April.
• Exploit code already in circulation first uses a vulnerability to gain access the restricted sun.awt.SunToolkit class before a second bug is used to disable the SecurityManager, and ultimately to break out of the Java sandbox.
• As a result of the vulnerability in the most recent version of Java, attackers can spread malware simply by ... (how?)
• Windows, Mac OS X and Linux desktops – which are more vulnerable?• In the absence of a patch for a potent and already abused vulnerability,
the best advice is... (to do what?)
Misconfigured software/OS
One of the biggest problems in computer security is often not the “bugs” in software that the companies provide but errors that users make.
Common problems include:• Poor password security: users with no passwords or passwords the
same as the login name etc.• Networked services that are not used (e.g. web-server on but not
used with weak default configuration)• Firewall installed but not turned on• Automatic updates not notified or installed, virus scanners turned off• Users configure something they do not understand and leave it in a
weak state
Scanning for vulnerabilities• As there are so many faults that can occur in a computer system security
experts and specialist security firms have developed security “scanners” or analysers.
• Scanners are broadly in two categories:– local vulnerability analysers: explore the local operating system for common
misconfigurations or out of date software– external scanners: use the network to probe machines remotely searching for
network services that a computer is using and testing it for known vulnerabilities• Neither local analysis or external scanning is perfect but both can help.
Some products allow both modes to be used e.g. – Nessus
http://www.nessus.org – Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Sample exam questions
• Give the definition of buffer overflow and explain how the attacker can use it
• Explain what is meant by a zero-day attack
Sample exam questions
• Explain who can run a Linux command su rootand what security arrangements there are in Linux to prevent the misuse of this command.
• Which of the following statements is correct?– setuid is used to set chmod– chmod is used to set setuid
