UNIX Security 2: A Quick Recap - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

UNIX Security 2: A Quick Recap

Description:

set path=( /usr/ucb /pkg/java-1.2.1/bin /site/bin /usr/bin /usr/sbin ... A worm is a program on its own, a process of which spawning things all over the ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 16
Provided by: alcorCo
Category:
Tags: unix | quick | recap | security

less

Transcript and Presenter's Notes

Title: UNIX Security 2: A Quick Recap


1
UNIX Security 2 A Quick Recap
  • SOEN321 - Information Systems Security
  • Revision 1.3
  • Date September 30, 2003

2
Trojan Horse
  • In UNIX, as in many other OS, there are ways to
    allow users execution of programs written by
    other users.
  • By having those programs executed in such a way
    that it provides the access rights of the
    executing user, the other users may misuse these
    rights.

3
Trojan Horse (2)
  • Examples
  • A text editor searching for keywords in the open
    file upon successful match, copies the document
    elsewhere. The code that missuses its runtime
    environment, is called a Trojan Horse.
  • UNIX path search. Well explore this one in
    greater detail.
  • A program emulating login.

4
UNIX path
  • Long search paths, which are very common in UNIX,
    make Trojan Horse matters worse.
  • Recall COMP346, Operating Systems...
  • PA1... ... to set proper Java version change
    your path to ....
  • The users can configure their environment
    variables in their .cshrc, .tcshrc, .bashrc,
    whatever, including the path variable.

set path( /usr/ucb /pkg/java-1.2.1/bin /site/bin
/usr/bin /usr/sbin \ /bin /usr/hosts
/usr/X11R6/bin /sbin /usr/lib \
/bin /bin/dev )
5
UNIX path (2)
  • The search path lists the set of the directories
    to search when an ambiguous command name given
    (i.e. not not absolute, which comprises 99 of
    the commands).
  • When user types a command in the shells prompt,
    the shell starts looking at every item in the
    path list, to look up the actual command.
  • The first command found is executed...

6
UNIX path (3)
  • Obviously (to whom? -)), all the directories the
    path list must be secure otherwise, a Trojan
    Horse replacement of a common command can be
    executed accidentally if it happened to sneak
    into one of those directories in the path.
  • A bad habit is to have . in your path list.

7
UNIX path (4)
  • . means current directory, so if you type a
    command, say ls, and a corresponding fake ls
    happened to be in your current directory, you can
    get in trouble.
  • Example a friend shares with you a directory
    by being in it and executing a command, you can
    actually execute the one in your friends
    directory which will run as you (with your
    effective UID) with all your privileges, thereby
    an ability to copy, delete, modify your files.
  • The bottom line never trust your current
    directory, remove . from your path -)

8
Login Emulation or Why Windows Login is More
Secure
  • A Trojan Horse variation is a fake login, i.e. a
    program emulating login prompt left by an
    advisory.
  • An unsuspecting user attempts to login and finds
    that it failed. Re-attempt - and success...
  • What had happened?

9
Login Emulation or Why Windows Login is More
Secure (2)
  • First time around the login emulator
  • simply saved the credentials somewhere,
  • faked incorrect login message, and
  • exited leaving normal login in place.
  • To defeat such an attack an OS can print an usage
    message at the end of interactive session or use
    some nontrappable key sequence, such as
    CtrlAltDel as in Windows NT/2000/XP

10
System Threats Morris Worm
  • A worm is a program on its own, a process of
    which spawning things all over the place causing
    performance degradation.
  • Famous The Morris Internet Worm hit UNIX systems
    (SunOS and VAX) in 1988

11
Morris Worm
  • Consisted of two programs bootstrap and and the
    main parts.
  • Bootstrap was uses a grappling hook a tiny C
    program compiled and run on every machine it
    accessed, and used to bring the main one in onto
    the hooked system.
  • The main was searching for new ways to propagate
    from the newly infested system.
  • The main also used to systematically crack user
    passwords on the host machine (lame cases,
    432-word dictionary, UNIX on-line dictionary)

12
Morris Worm
  • The worm used the holes in rsh, finger, and
    sendmail programs (recall the lecture transcript
    4)
  • rsh, an utility for remote command execution
    didnt require to use passwords if you had
    special files with host-login pairs
  • finger had a typical buffer overflow problem.
  • sendmail was used to transport the grappling hook
    thing when sendmail was run in the (default!)
    debug mode.

13
Morris Worm
14
The Morris Worm
  • Same tools that contributed to worms success,
    helped to defeat it.
  • Patched binaries were copied over the infected
    systems.
  • Presence of the source code also greatly helped.

15
Viruses
  • Viruses, unlike worms, are not standalone
    programs, but embed themselves into already
    pre-existing program.
  • Not going to talk about them here, just worth
    mentioning that there not as many for UNIX as for
    Windows.
  • The reason being is UNIX security model, with all
    those permissions, ACL, etc, if the infected
    program were to run, not much it can do WRT to
    the virus prorogation, because its capabilities
    usually limited and there are no write
    permissions set.
  • Hint use crypto as a virus detection mechanism
Write a Comment
User Comments (0)
About PowerShow.com