DOCSLIB.ORG

Linux Security Module Framework

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Linux Security Module Framework Linux Security Module Framework Chris Wright and Crispin Cowan ∗ James Morris WireX Communications, Inc. Intercode Pty Ltd [email protected], [email protected] [email protected] Stephen Smalley † Greg Kroah-Hartman ‡ NAI Labs, Network Associates, Inc. IBM Linux Technology Center [email protected] [email protected] Abstract sign and implementation of the LSM frame- work, a discussion of performance and secu- Computer security is a chronic and growing rity impact on the kernel, and a brief overview problem, even for Linux, as evidenced by the of existing security modules. seemingly endless stream of software security vulnerabilities. Security research has produced numerous access control mechanisms that help 1 Introduction improve system security; however, there is lit- tle consensus on the best solution. Many pow- Security is a chronic and growing problem: as erful security systems have been implemented more systems (and more money) go on line, the as research prototypes or highly specialized motivation to attack rises. Linux is not immune products, leaving systems operators with a dif- to this threat: the “many eyes make shallow ficult challenge: how to utilize these advanced bugs" argument [25] not withstanding, Linux features, without having to throw away their systems do experience a large number of soft- existing systems? ware vulnerabilities. The Linux Security Modules (LSM) project An important way to mitigate software vul- addresses this problem by providing the Linux nerabilities is through effective use of access kernel with a general purpose framework for controls. Discretionary access controls (root, access control. LSM enables loading enhanced user-IDs and mode bits) are adequate for user security policies as kernel modules. By pro- management of their own privacy, but are not viding Linux with a standard API for policy sufficient to protect systems from attack. Ex- enforcement modules, the LSM project hopes tensive research in non-discretionary access to enable widespread deployment of security control models has been done for over thirty hardened systems. This paper presents the de- years [2, 26, 18, 10, 16, 5, 20] but there has ∗This work supported in part by DARPA Contract been no real consensus on which is the one N66001-00-C-8032 (Autonomix) true access control model. Because of this lack † This work supported by NSA Contract MDA904- of consensus, there are many patches to the 01-C-0926 (SELinux) ‡This work represents the view of the authors and Linux kernel that provide enhanced access con- does not necessarily represent the view of IBM. But that trols [7, 11, 12, 14, 17, 19, 24, 20, 32] but none sentence did. of them are a standard part of the Linux kernel. Ottawa Linux Symposium 2002 605 The Linux Security Modules (LSM) [30, 27, a different kernel module; 31] project seeks to solve this Tower of Ba- bel [1] quandary by providing a general- • conceptually simple, minimally invasive, purpose framework for security policy mod- and efficient; and ules. This allows many different access con- trol models to be implemented as loadable ker- • able to support the existing POSIX.1e nel modules, enabling multiple threads of secu- capabilities logic as an optional security rity policy engine development to proceed in- module. dependently of the main Linux kernel. A num- ber of existing enhanced access control im- To achieve these goals while remaining agnos- plementations, including POSIX.1e capabili- tic with respect to styles of access control me- ties [29], SELinux, Domain and Type Enforce- diation, LSM takes the approach of mediating ment (DTE) [14] and Linux Intrusion Detec- access to the kernel’s internal objects: tasks, tion System (LIDS) [17] have already been inodes, open files, etc., as shown in Figure 1. adapted to use the LSM framework. User processes execute system calls, which first traverse the Linux kernel’s existing logic The remainder of this paper is organized as for finding and allocating resources, perform- follows. Section 2 presents the LSM design ing error checking, and passing the classical and implementation. Section 3 gives a detailed UNIX discretionary access controls. Just be- look at the LSM interface. Section 4 describes fore the kernel attempts to access the internal the impact LSM has on performance and secu- object, an LSM hook makes an out-call to the rity, including a look at some projects that have module posing the question, “Is this access ok been ported to LSM so far. Section 5 presents with you?” The module processes this policy our conclusions. question and returns either “yes” or “no.” 2 Design and Implementation One might ask why LSM chose this approach rather than system call interposition (mediat- ing system calls as they enter the kernel) or de- At the 2001 Linux Kernel Summit, the NSA vice mediation (mediating at access to physi- presented their work on Security-Enhanced cal devices).1 The reason is that information Linux (SELinux) [19], an implementation of a critical to sound security policy decisions is flexible access control architecture in the Linux not available at those points. At the system kernel. Linus Torvalds appeared to accept that call interface, userspace data, such as a path a general access control framework for the name, has yet to be translated to the kernel Linux kernel is needed. However, given the object it represents, such as an inode. Thus, many Linux kernel security projects, and Li- system call interposition is both inefficient and nus’ lack of expertise in sophisticated security prone to time-of-check-to-time-of-use (TOCT- policy, he preferred an approach that allowed TOU) races [28, 6]. At the device interface, security models to be implemented as loadable some other critical information (such as the kernel modules. In fact, Linus’ response pro- path name of the file to be accessed) has been vided the seeds of the LSM design. The LSM thrown away. In between is where the full framework must be: context of an access request can be seen, and 1The glib answer is that the Linux kernel already pro- • truly generic, where using a different se- vides those features and there would be nothing for us to curity model is merely a matter of loading do :-) Ottawa Linux Symposium 2002 606 User Level process User space open system call Kernel space Look up inode error checks LSM Module DAC checks Policy Engine "OK with you?" Examine context LSM hook Does request pass policy? Yes or No Grant or deny Complete request Access inode Figure 1: LSM Hook Architecture where a fully informed access control decision because some policies may explicitly con- can be made. flict [13]. On the other hand, it is clearly de- sirable to compose some combinations of se- A subtle implication of the LSM architecture curity policies. Here, LSM effectively punts to is that access control decisions are restric- the module writer: to be able to “stack” mod- 2 tive : the module can really only say “no” [31]. ules, the first module loaded must also export Functional errors and classical security checks an LSM interface to subsequent LSM modules can result in an access request being denied to be loaded. The first module is then responsi- before it is ever presented to the LSM mod- ble for composing the access control decisions ule. This is the opposite of the way manda- that it gets back from secondary modules. tory access control systems are normally im- plemented. This design choice limits the flex- ibility of the LSM framework, but substan- tially simplifies the impact of the LSM on the 3 LSM Interface Linux kernel. To do otherwise would have required implementing many instances of the same hook throughout the kernel, to ensure that Having discussed the high-level design the module is consulted at every place where a philosophies of LSM in Section 2, we now system call could “error out.” turn to the implementation of the LSM in- terface. At the core, the LSM interface is Composition of LSM modules is another prob- a large table of functions, which by default lematic issue. On the one hand, security are populated with calls that implement the policies do not compose in the general case traditional superuser DAC policy. The module 2Caveat: the capable() hook, which is needed writers are then responsible for providing to support POSIX.1e capabilities, can override DAC implementations of the functions that they checks, see Section 3.8. care about. This section provides a detailed Ottawa Linux Symposium 2002 607 analysis of those functions.3 Section 3.1 shows the LSM framework to remain simple, push- how to register a security module. Sections 3.2 ing the policy which defines composition into through 3.8 are organized by kernel object and the primary security module. discuss the LSM interface available to mediate access to each object. 3.2 Task Hooks 3.1 Policy Registration The task_struct structure is the kernel ob- The LSM interface is implemented as a struc- ject representing kernel schedulable tasks. It ture of callback methods, security_ops. contains basic task information such as user A security module is responsible for imple- and group ID, resource limits, and scheduling menting the callbacks according to the secu- policies and priorities. LSM provides a group rity policy it is enforcing. At boot time the of task hooks, task_security_ops, that security_ops structure is initialized with mediate a task’s access to this basic task in- default callbacks, which implement traditional formation. Interprocess signalling is mediated superuser semantics. by the LSM task hooks to monitor tasks’ abil- The security module can be built as a dynami- ities to send and receive signals. LSM adds a cally loadable module or statically linked into security field to the task_struct to allow the kernel.
Load more

Recommended publications
  • Have You Driven an Selinux Lately? an Update on the Security Enhanced Linux Project
    Have You Driven an SELinux Lately? An Update on the Security Enhanced Linux Project James Morris Red Hat Asia Pacific Pte Ltd [email protected] Abstract All security-relevant accesses between subjects and ob- jects are controlled according to a dynamically loaded Security Enhanced Linux (SELinux) [18] has evolved mandatory security policy. Clean separation of mecha- rapidly over the last few years, with many enhancements nism and policy provides considerable flexibility in the made to both its core technology and higher-level tools. implementation of security goals for the system, while fine granularity of control ensures complete mediation. Following integration into several Linux distributions, SELinux has become the first widely used Mandatory An arbitrary number of different security models may be Access Control (MAC) scheme. It has helped Linux to composed (or “stacked”) by SELinux, with their com- receive the highest security certification likely possible bined effect being fully analyzable under a unified pol- for a mainstream off the shelf operating system. icy scheme. SELinux has also proven its worth for general purpose Currently, the default SELinux implementation com- use in mitigating several serious security flaws. poses the following security models: Type Enforcement (TE) [7], Role Based Access Control (RBAC) [12], While SELinux has a reputation for being difficult to Muilti-level Security (MLS) [29], and Identity Based use, recent developments have helped significantly in Access Control (IBAC). These complement the standard this area, and user adoption is advancing rapidly. Linux Discretionary Access Control (DAC) scheme. This paper provides an informal update on the project, With these models, SELinux provides comprehensive discussing key developments and challenges, with the mandatory enforcement of least privilege, confidential- aim of helping people to better understand current ity, and integrity.
    [Show full text]
  • On Trends in Low-Level Exploitation
    On trends in low-level exploitation Christian W. Otterstad Department of Informatics, University of Bergen Abstract Low-level computer exploitation and its mitigation counterpart has accumulated some noteworthy history. Presently, especially in academia, it features a plethora of mitigation techniques and also various possible modes of attack. It has seen numerous developments building upon basic methods for both sides and certain trends have emerged. This paper is primarily an overview paper, focusing especially on x86 GNU/Linux. The basic reasons inherent for allowing low-level exploitability are identified and explained to provide background knowledge. The paper furthermore describes the history, present state of the art and future developments that are topical and appear to be important in the field. Several attack and defense techniques have overlapping notions with not always obvious differences. Herein the notion of the bar being raised for both exploits and mitigation methods is examined and extrapolated upon based on the known relevant present state and history. The difference between academia and the industry is discussed especially where it relates to application of new mitigation techniques. Based on this examination some patterns and trends are identified and a conjecture for the likely future development of both is presented and justified. This paper was presented at the NIK-2016 conference; see http://www.nik.no/. 1 Introduction and earlier related work In 1972 the paper “Computer Security Technology Planning Study” was published [1]. Since then, research surrounding the main ideas in this paper has grown to become a ma- ture and complex field in its own right. There are many different exploitation techniques and mitigation techniques.
    [Show full text]
  • Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car
    2015-01-0224 Published 04/14/2015 Copyright © 2015 SAE International doi:10.4271/2015-01-0224 saepcelec.saejournals.org Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car Patrick Shelly Mentor Graphics Corp. ABSTRACT With the dramatic mismatch between handheld consumer devices and automobiles, both in terms of product lifespan and the speed at which new features (or versions) are released, vehicle OEMs are faced with a perplexing dilemma. If the connected car is to succeed there has to be a secure and accessible method to update the software in a vehicle's infotainment system - as well as a real or perceived way to graft in new software content. The challenge has become even more evident as the industry transitions from simple analog audio systems which have traditionally served up broadcast content to a new world in which configurable and interactive Internet- based content rules the day. This paper explores the options available for updating and extending the software capability of a vehicle's infotainment system while addressing the lifecycle mismatch between automobiles and consumer mobile devices. Implications to the design and cost of factory installed equipment will be discussed, as will expectations around the appeal of these various strategies to specific target demographics. CITATION: Shelly, P., "Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car," SAE Int. J. Passeng. Cars – Electron. Electr. Syst. 8(1):2015, doi:10.4271/2015-01-0224. INTRODUCTION be carefully taken into account. The use of app stores is expected to grow significantly in the coming years as automotive OEMs begin to Contemporary vehicle infotainment systems face an interesting explore apps not only on IVI systems, but on other components of the challenge.
    [Show full text]
  • (Un)Smashing the Stack
    Hello, Interwebs Hi, and thanks for reading this. As I mentioned a number of times during the talk this was one long, hard slog of a topic for me. My intent was not to duplicate existing research (Johnson and Silberman @ BHUS05, others), but to try to make this topic comprehensible for the typical security professional, who (GASP! SHOCK! HORROR!) may not necessarily grasp all the hairy internals of exploit development, but still is tasked with protecting systems. For the other 90% of us out there, our job is not to be leet, but rather not to get owned, something I hope to get a little bit better at every day. Since exploit mitigation is something that might bring us all a little bit closer to that, I wanted to explore the topic. Thanks much to BH for giving me the opportunity to do so, and to all of you for listening. Thanks also to all the amazing people working on these technologies, especially the PaX team and Hiroaki Etoh of IBM. -- shawn P.S. It’s actually Thompson that had the Phil Collins hair, not Ritchie. Sorry, Dennis. 28 75 6e 29 53 6d 61 73 68 69 6e 67 20 74 68 65 20 53 74 61 63 6b 0d 0a (un)Smashing the Stack 4f 76 65 72 66 6c 6f 77 73 2c 20 43 6f 75 6e 74 65 72 6d 65 61 73 75 72 65 73 20 61 6e 64 20 74 68 65 20 52 65 61 6c 20 57 6f 72 6c 64 Overflows, Countermeasures and the Real World Shawn Moyer :: Chief Researcher ---- SpearTip Technologies ---> blackhat [at] cipherpunx [dot] org Hey, who is this guy? ShawnM: InfoSec consultant, (quasi-) developer, husband, father, and raging paranoid with obsessive tendencies Chief Researcher at SpearTip Technologies Security Consultancy in Saint Louis, MO Forensics, Assessment, MSSP, network analysis Weddings, Funerals, Bar Mitzvahs I like unsolvable problems, so I’m mostly interested in defense.
    [Show full text]
  • Detecting Exploit Code Execution in Loadable Kernel Modules
    Detecting Exploit Code Execution in Loadable Kernel Modules HaizhiXu WenliangDu SteveJ.Chapin Systems Assurance Institute Syracuse University 3-114 CST, 111 College Place, Syracuse, NY 13210, USA g fhxu02, wedu, chapin @syr.edu Abstract and pointer checks can lead to kernel-level exploits, which can jeopardize the integrity of the running kernel. Inside the In current extensible monolithic operating systems, load- kernel, exploitcode has the privilegeto interceptsystem ser- able kernel modules (LKM) have unrestricted access to vice routines, to modify interrupt handlers, and to overwrite all portions of kernel memory and I/O space. As a result, kernel data. In such cases, the behavior of the entire sys- kernel-module exploitation can jeopardize the integrity of tem may become suspect. the entire system. In this paper, we analyze the threat that Kernel-level protection is different from user space pro- comes from the implicit trust relationship between the oper- tection. Not every application-level protection mechanism ating system kernel and loadable kernel modules. We then can be applied directly to kernel code, because privileges present a specification-directed access monitoring tool— of the kernel environment is different from that of the user HECK, that detects kernel modules for malicious code ex- space. For example, non-executableuser page [21] and non- ecution. Inside the module, HECK prevents code execution executable user stack [29] use virtual memory mapping sup- on the kernel stack and the data sections; on the bound- port for pages and segments, but inside the kernel, a page ary, HECK restricts the module’s access to only those kernel or segment fault can lead to kernel panic.
    [Show full text]
  • Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
    Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material.
    [Show full text]
  • Debian \ Amber \ Arco-Debian \ Arc-Live \ Aslinux \ Beatrix
    Debian \ Amber \ Arco-Debian \ Arc-Live \ ASLinux \ BeatriX \ BlackRhino \ BlankON \ Bluewall \ BOSS \ Canaima \ Clonezilla Live \ Conducit \ Corel \ Xandros \ DeadCD \ Olive \ DeMuDi \ \ 64Studio (64 Studio) \ DoudouLinux \ DRBL \ Elive \ Epidemic \ Estrella Roja \ Euronode \ GALPon MiniNo \ Gibraltar \ GNUGuitarINUX \ gnuLiNex \ \ Lihuen \ grml \ Guadalinex \ Impi \ Inquisitor \ Linux Mint Debian \ LliureX \ K-DEMar \ kademar \ Knoppix \ \ B2D \ \ Bioknoppix \ \ Damn Small Linux \ \ \ Hikarunix \ \ \ DSL-N \ \ \ Damn Vulnerable Linux \ \ Danix \ \ Feather \ \ INSERT \ \ Joatha \ \ Kaella \ \ Kanotix \ \ \ Auditor Security Linux \ \ \ Backtrack \ \ \ Parsix \ \ Kurumin \ \ \ Dizinha \ \ \ \ NeoDizinha \ \ \ \ Patinho Faminto \ \ \ Kalango \ \ \ Poseidon \ \ MAX \ \ Medialinux \ \ Mediainlinux \ \ ArtistX \ \ Morphix \ \ \ Aquamorph \ \ \ Dreamlinux \ \ \ Hiwix \ \ \ Hiweed \ \ \ \ Deepin \ \ \ ZoneCD \ \ Musix \ \ ParallelKnoppix \ \ Quantian \ \ Shabdix \ \ Symphony OS \ \ Whoppix \ \ WHAX \ LEAF \ Libranet \ Librassoc \ Lindows \ Linspire \ \ Freespire \ Liquid Lemur \ Matriux \ MEPIS \ SimplyMEPIS \ \ antiX \ \ \ Swift \ Metamorphose \ miniwoody \ Bonzai \ MoLinux \ \ Tirwal \ NepaLinux \ Nova \ Omoikane (Arma) \ OpenMediaVault \ OS2005 \ Maemo \ Meego Harmattan \ PelicanHPC \ Progeny \ Progress \ Proxmox \ PureOS \ Red Ribbon \ Resulinux \ Rxart \ SalineOS \ Semplice \ sidux \ aptosid \ \ siduction \ Skolelinux \ Snowlinux \ srvRX live \ Storm \ Tails \ ThinClientOS \ Trisquel \ Tuquito \ Ubuntu \ \ A/V \ \ AV \ \ Airinux \ \ Arabian
    [Show full text]
  • A Framework for Prototyping and Testing Data-Only Rootkit Attacks
    1 A Framework for Prototyping and Testing Data-Only Rootkit Attacks Ryan Riley [email protected] Qatar University Doha, Qatar Version 1.0 This is a preprint of the paper accepted in Elsevier Computers & Security Abstract—Kernel rootkits—attacks which modify a running of 25 rootkit attacks to test with, but end up stating, “Of operating system kernel in order to hide an attacker’s presence— the 25 that we acquired, we were able to install 18 in our are significant threats. Recent advances in rootkit defense tech- virtual test infrastructure. The remainder either did not support nology will force rootkit threats to rely on only modifying kernel data structures without injecting and executing any new our test kernel version or would not install in a virtualized code; however these data-only kernel rootkit attacks are still environment.” In [2], the authors test with 16 Linux rootkits, both realistic and powerful. In this work we present DORF, a but only 12 of them overlap with [1]. In [3], the authors give framework for prototyping and testing data-only rootkit attacks. no results that involved testing with rootkit attacks. DORF is an object-oriented framework that allows researchers to As another example, in our own work involving kernel construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF rootkit defense [2], [4], [5], [6] we found ourselves locked in contains a group of existing and new data-only attacks, and the to an older version of Linux due to the rootkits we planned to portability of DORF is demonstrated by porting it to 6 different test with.
    [Show full text]
  • Linux Kernel Debugging and Security (Lfd440)
    Contact Us [email protected] HOME > COURSE CATALOG > LINUX FOUNDATION > SECURITY > LINUX KERNEL DEBUGGING AND SECURITY (LFD440) Linux Kernel Debugging and Security (LFD440) DURATION 4 Days COURSE LNX-LFD440 AVAILABLE FORMATS Classroom Training, Online Training Course Description Overview Learn the methods and internal infrastructure of the Linux kernel. This course focuses on the important tools used for debugging and monitoring the kernel, and how security features are implemented and controlled. Objectives This four day course includes extensive hands-on exercises and demonstrations designed to give you the necessary tools to develop and debug Linux kernel code. Students will walk away from this course with a solid understanding of Linux kernel. debugging techniques and tools. Audience 9/27/2021 1 of 11 1:47:42 PM This course is for experienced developers who need to understand the methods and internal infrastructure of the Linux kernel. Prerequisites To make the most of this course, you should: Be proficient in the C programming language; Be familiar with basic Linux (UNIX) utilities such as ls, grep and tar; Be comfortable using any of the available text editors (e.g. emacs, vi, etc.); Experience with any major Linux distribution is helpful but not strictly required; Have experience equivalent to having taken : Linux Kernel Internals and Development. Topics Introduction Objectives Who You Are The Linux Foundation Linux Foundation Training Certification Programs and Digital Badging Linux Distributions Platforms Preparing Your System
    [Show full text]
  • Securing Debian HOWTO
    Securing Debian HOWTO Javier Fernández-Sanguino Peña <[email protected]> v1.92 6 noviembre 2001Tue Oct 23 00:59:57 CEST 2001 Abstract This document describes the process of securing and hardening the default Debian installation. It covers some of the common taks to setup a secure network environment using Debian GNU/Linux. Copyright Notice Copyright c 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright c 2000 Alexander Reelsen however it is distributed under the terms of the GNU free documentation license. This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. i Contents 1 Introduction 1 1.1 Download the HOWTO ................................... 1 1.2 Organizational Notes/Feedback ............................... 2 1.3 Prior knowledge ....................................... 2 1.4 Things that need to be written (TODO) ........................... 2 1.5 Changelog .......................................... 4 1.5.1 Version 1.92 .................................... 4 1.5.2 Version 1.91 .................................... 4 1.5.3 Version 1.9 ..................................... 4 1.5.4 Version 1.8 ..................................... 5 1.5.5 Version 1.7 ..................................... 5 1.5.6 Version 1.6 ..................................... 5 1.5.7 Version 1.5 ..................................... 6 1.5.8 Version 1.4 ..................................... 6 1.5.9 Version 1.3 ..................................... 6 1.5.10 Version 1.2 ..................................... 6 1.5.11 Version 1.1 ..................................... 6 1.5.12 Version 1.0 ..................................... 6 1.6 Credits ............................................ 7 2 Before you begin 9 2.1 What do you want this system for? ............................. 9 2.2 Be aware of general security problems ........................... 9 2.3 How does Debian handle security? ............................. 11 CONTENTS ii 3 Before and during the installation 13 3.1 Choose a BIOS password .................................
    [Show full text]
  • On the Quality of Exploit Code
    On the Quality of Exploit Code An Evaluation of Publicly Available Exploit Code, Hackers & Threats II, February 17, 2:00 PM, San Francisco, CA Ivan Arce, Core Security Technologies OUTLINE • Prologue: Context and definitions • Why exploit code? • Quality metrics • Examples • Epilogue: Future work PROLOGUE VULNERABILITIES & EXPLOITS Lets start by defining a common language • Vulnerability (noun) — “A flaw in a system that, if leveraged by an attacker, can potentially impact the security of said system” — Also: security bug, security flaw, security hole • Exploit (verb) — “To use or manipulate to one’s advantage” (Webster) — “A security hole or an instance of taking advantage of a security hole” EXPLOIT CODE Exploit code is not just “proof of concept” • Proof of Concept exploit - PoC (noun) — A software program or tool that exploits a vulnerability with the sole purpose of proving its existence. • Exploit Code (noun) — A software program or tool developed to exploit a vulnerability in order to accomplish a specific goal. — Possible goals: denial of service, arbitrary execution of code, etc An emerging role in the information security practice WHY TALK ABOUT EXPLOIT CODE? ANATOMY OF A REAL WORLD ATTACK The classic attack uses exploit code... ATTACKER Base Camp A target server is attacked and compromised The acquired server is used as vantage point to penetrate the corporate net Further attacks are performed as an internal user EXPLOIT CODE FUNCTIONALITY Exploit code becomes more sophisticated • Add a simple “listen shell” echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &" • Add an account to the compromised system: echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:1WXmkX74Ws8fX/MFI3.j5HKahNqIQ0:12311:0:99999:7:::" >> /etc/shadow • Execute a “bind-shell” • Execute a “reverse shell” • Deploy and execute a multi-purpose agent Command shell, FTP, TFTP, IRC, “zombies”, snifers, rootkits..
    [Show full text]
  • Seth Arnold SARNOLD(7)
    SARNOLD(7) Seth Arnold SARNOLD(7) NAME Seth Arnold - sarnold(7) - +1-503-577-3453 - [email protected] SYNOPSIS I am versatile, able to quickly adapt to and excel in complex systems, especially those with subtle security and reliability problems. I enjoy talking with customers and users; my most recent supervisor noted I have a very good sense of the customer's voice. I support co-workers with enthusiasm, improving a team's productivity and morale. OPTIONS · 15 years experience developing software for Linux (Ubuntu, Debian, SuSE, Red Hat, Slackware, Caldera). · 6 years experience using OpenBSD, WinNT 4.0 / Win2K. · 4 years experience using NetWare 3.11, SCO 3.2.4.2, and SCO OpenServer 5.0. · Programming Languages: C, Ruby, Perl, Python, Java, Unix shell, SQL, HTML, LaTeX · Source code control systems: Git, Subversion, CVS, BitKeeper · Native English speaker; learning German I have expertise with Linux kernel internals, cryptography, security issues, software development and mainte- nance, and the TCP/IP family of protocols. I am familiar with the constraints and freedoms of open source licenses. I give confident, credible, and effective presentations about complex subjects. I participate in Free Software and Open Source communities. I have been part of the Open and Free Technology Community's NOC and a staff member on Freenode. HISTORY May 2005 { October 2007 Novell, Inc. / SuSE GmbH; Portland, OR, USA I joined the SuSE Labs research and development team when Novell acquired Immunix. My responsibilities at Novell / SuSE included: Software development Primary developer of AppArmor Mandatory Access Control policies for the SuSE Linux family of distribu- tions.
    [Show full text]