The Danger of Unrandomized Code EDWARD J. SCHWARTZ Of Headless User Accounts and Restricted Shells JAN SCHAUMANN DevOps from a Sysadmin Perspective PATRICK DEBOIS Conference Reports from the 20th USENIX Security DECEMBER 2011 VOL. 36, NO. 6 Symposium, CSET, HotSec, and more UPCOMING EVENTS 10th USENIX Conference on File and Storage 4th USENIX Workshop on Hot Topics in Technologies (FAST ’12) Parallelism (HotPar ’12) SPONSORED BY USENIX IN COOPERATION WITH ACM SIGOPS SPONSORED BY USENIX IN COOPERATION WITH ACM SIGMETRICS, ACM SIGSOFT, ACM SIGOPS, ACM SIGARCH, AND ACM SIGPLAN February 14–17, 2012, San Jose, CA, USA June 7–8, 2012, Berkeley, CA, USA http://www.usenix.org/fast12 http://www.usenix.org/hotpar12 In Cooperation: EuroSys 2012 Paper registration due: January 24, 2012 SPONSORED BY ACM SIGOPS IN COOPERATION WITH USENIX 2012 USENIX Federated Conferences Week April 10–13, 2012, Bern, Switzerland June 12–15, 2012, Boston, MA, USA http://eurosys2012.unibe.ch 2012 USENIX Annual Technical Conference 2nd USENIX Workshop on Hot Topics in Man- (USENIX ATC ’12) agement of Internet, Cloud, and Enterprise June 13–15, 2012 Networks and Services (Hot-ICE ’12) http://www.usenix.org/atc12 CO-LOCATED WITH NSDI ’12 Paper titles and abstracts due: January 10, 2012 April 24, 2012, San Jose, CA, USA 3rd USENIX Conference on Web Application http://www.usenix.org/hotice12 Development (WebApps ’12) Paper registration due: January 6, 2012 June 13–14, 2012 http://www.usenix.org/webapps12 5th USENIX Workshop on Large-Scale Exploits Submissions due: January 23, 2012 and Emergent Threats (LEET ’12) CO-LOCATED WITH NSDI ’12 4th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud ’12) April 24, 2012, San Jose, CA, USA http://www.usenix.org/leet12 4th USENIX Workshop on Hot Topics in Storage Submissions due: February 13, 2012 and File Systems (HotStorage ’12) 9th USENIX Symposium on Networked Systems 21st USENIX Security Symposium Design and Implementation (NSDI ’12) (USENIX Security ’12) SPONSORED BY USENIX IN COOPERATION WITH ACM SIGCOMM AND August 6–10, 2012, Bellevue, WA, USA ACM SIGOPS April 25–27, 2012, San Jose, CA, USA 10th USENIX Symposium on Operating Systems http://www.usenix.org/nsdi12 Design and Implementation (OSDI ’12) October 8–10, 2012, Hollywood, CA, USA In Cooperation: 5th Annual International http://www.usenix.org/osdi12 Systems and Storage Conference (SYSTOR 2012) Submissions due: May 3, 2012 IN COOPERATION WITH ACM SIGOPS (PENDING) AND USENIX June 4–6, 2012, Haifa, Israel 26th Large Installation System Administration http://www.research.ibm.com/haifa/conferences/ Conference (LISA ’12) systor2012 December 9–14, 2012, San Diego, CA, USA FOR A COMPLETE LIST OF ALL USENIX AND USENIX CO-SPONSORED EVENTS, SEE HTTP://WWW.USENIX.ORG/EVENTS EDITOR Rik Farrow [email protected] MANAGING EDITOR Jane-Ellen Long [email protected] DECEMBER 2011, VOL. 36, NO. 6 COPY EDITOR Steve Gilmartin [email protected] OPINION Musings RIK FARROW . 2 PRODUCTION Arnold Gatilao SECURITY Casey Henderson Jane-Ellen Long The Danger of Unrandomized Code EDWARD J. SCHWARTZ . 7 Exploit Programming: From Buffer Overflows to “Weird Machines” and Theory of TYPESETTER Star Type Computation SERGEY BRATUS, MICHAEL E. LOCASTO, MEREDITH L. PATTERSON, [email protected] LEN SASSAMAN, AND ANNA SHUBINA . 13 USENIX ASSOCIATION The Halting Problems of Network Stack Insecurity LEN SASSAMAN, MEREDITH L. 2560 Ninth Street, Suite 215, PATTERSON, SERGEY BRATUS, AND ANNA SHUBINA . 22 Berkeley, California 94710 Phone: (510) 528-8649 SYSADMIN FAX: (510) 548-5738 Beyond the Basics of HTTPS Serving ADAM LANGLEY . 33 http://www.usenix.org Of Headless User Accounts and Restricted Shells JAN SCHAUMANN . 38 http://www.sage.org DevOps from a Sysadmin Perspective PATRICK DEBOIS . 45 ;login: is the official magazine of the USENIX Association. ;login: (ISSN 1044-6397) COLUMNS is published bi-monthly by the USENIX Practical Perl Tools: From the Editor DAVID N. BLANK-EDELMAN . 48 Association, 2560 Ninth Street, Suite 215, DAVE JOSEPHSEN Berkeley, CA 94710. iVoyeur: Changing the Game . 54 /dev/random ROBERT G. FERRELL . 58 $90 of each member’s annual dues is for a subscription to ;login:. Subscriptions for BOOKS nonmembers are $125 per year. Periodicals postage paid at Berkeley, CA, Book Reviews ELIZABETH ZWICKY, WITH SAM STOVER . 61 and additional offices. USENIX NOTES POSTMASTER: Send address changes to 2012 Election for the USENIX Board of Directors ALVA L. COUCH . 64 ;login:, USENIX Association, 2560 Ninth Street, Suite 215, Berkeley, CA 94710. USENIX Remembers Dennis Ritchie (1941–2011) . 65 USA Team Wins Big at International Programming Competition BRIAN DEAN . 65 ©2011 USENIX Association USENIX is a registered trademark of the Thanks to Our Volunteers . 66 USENIX Association. Many of the designa- tions used by manufacturers and sellers CONFERENCES to distinguish their products are claimed 20th USENIX Security Symposium . 68 as trademarks. USENIX acknowledges all 4th Workshop on Cyber Security Experimentation and Test . 97 trademarks herein. Where those designa- tions appear in this publication and USENIX USENIX Workshop on Free and Open Communications on the Internet . .. 104 is aware of a trademark claim, the designa- 5th USENIX Workshop on Offensive Technologies . 106 tions have been printed in caps or initial caps. 2nd USENIX Workshop on Health Security and Privacy . 111 6th USENIX Workshop on Hot Topics in Security . 120 Musings RIK FARROWOPINION Rik is the editor of ;login:. The latest effort to improve computer and network security has been for the US [email protected] Congress to pass new laws . Currently proposed laws will increase penalties for attackers, including the perhaps misguided hackers who point out easy-to-find flaws in public servers, to the point of treating them like racketeers . The real culprits, the companies who leave treasure troves of information with real worth easily accessible, will be encouraged to do better . I think there are better solutions . And for a change, this issue actually includes an article that points the way for- ward to improving network security . I have whined way too often about how bad things are, giving the appearance that I’m terribly depressed, so I am happy to pre- sent something much more useful than more complaints about the state of things . The Exploit Issue The first three articles in this issue deal with exploits, the methods used for attacking server and client software . You might not think that reading more about exploits will result in techniques for preventing them, but please give us a moment of your time . We begin with an article by Ed Schwartz . Ed presented a paper at USENIX Secu- rity ’11 on Q [1], software that finds short code segments that can be used in one type of exploit . I wanted Ed to write for ;login: because he did an outstanding job of explaining return-oriented programming (ROP) during his Security presentation . Ed’s excellent article starts by explaining how different exploits work, two of the current countermeasures, and why they do not always succeed . He also provides a first-rate discussion of both past and current methods for taking control of the flow of execution, then executing the code of the attacker’s choice . As Ed writes, “At a high level, all control flow exploits have two components: a computation and a control hijack . The computation specifies what the attacker wants the exploit to do . For example, the computation might create a shell for the attacker, or create a back-door account . A typical computation is to spawn a shell by including execut- able machine code called shellcode ”. And as Ed has pointed out, the attacker wants to do something that the target software was neither designed nor written to do . Instead, the attacker needs to use existing mechanisms in the software, and its supporting libraries, to do something completely unexpected . Next, the paper by Sergey Bratus and his co-authors ties in quite beautifully with Ed’s article . I first met Sergey Bratus during WOOT ’11, where he was explaining 2 ;login: VOL. 36, NO. 6 how code found in every Linux executable actually includes a complete Turing machine that can be abused [2] . Sergey called this code, and examples like it, weird machines, and I find I like this terminology . A weird machine provides an attacker with the ability to execute his own code, completely contrary to the intentions of the software’s designers . Yet these weird machines must be present for this to work . And we have hundreds, if not thousands, of existing exploits that prove that these weird machines actually exist . Sergey also acted as the point person for the third article in this collection . He had to, because its lead author, Len Sassaman, died this summer, before the article was proposed . Len, his wife, Meredith Patterson, and others had been working on a paper that looked at exploits in a different light . What makes exploits work, besides having weird machines to run them on, are the inputs to those weird machines . The authors’ proposition was that every program that accepts inputs has its own input language . If that input language reaches beyond a minimal level of complex- ity, it is impossible to prove that the program that parses the input language will behave as expected . Instead, the program will be one of the weird machines that run exploits for attackers . The Sassaman proposal has its basis in formal language theory, where a program’s input forms the language and the program includes the parser for this language . We are all familiar with this concept, whether we have written programs or simply entered command lines with options . The options make up the input language, and the program must include a parser that interprets that input language . This example may sound too simple, but there have been command-line programs that were exploitable .