DOCSLIB.ORG

How Attackers Break Programs, and How to Write Programs More Securely

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

How Attackers Break Programs, and How To Write Programs More Securely Matt Bishop Department of Computer Science University of California at Davis Davis, CA 95616-8562 United States of America email: [email protected] www: http://seclab.cs.ucdavis.edu/~bishop phone: +1 (530) 752-8060 © 2002 by Matt Bishop This page deliberately left blank. That is, this page would have been blank except that we had to put the notice "this page deliberately left blank" on it. Otherwise, you might have seen the blank page and worried that someone left a page out of your booklets. So, we put a note on the blank page to assure you that no-one forgot to put something on this page; indeed, we intended for it to be blank. But we could not live up to our intentions, for the reason stated above, so we couldn't put a blank page in here. We had to put a page with some writing on it. So we couldn't put the notice "this page deliberately left blank" because it's not true and, if we couldn't tell when a page is blank, you'd doubt the veracity of everything we did. So we wrote this paragraph to ... oh, heck, forget it. Table of Contents sections slides Overview..................................... 1— 13 Attacking Programs ........................... 14—123 Overview .......................14 — 20 Users and Privilege ...............21 — 29 Environment ....................30 — 48 Buffer Overflow ..................49 — 70 Numeric Overflow ................71 — 76 Validation and Verification .........77 — 92 Race Conditions..................93—112 Denial of Service ............... 113—121 Environment .................. 122—123 Writing Better Programs ......................124—379 Overview ..................... 124—126 Design Principles ............... 127—137 Users and Privileges ............ 138—167 Environment .................. 168—201 Validation and Verification ....... 202—225 Race Conditions................ 226—266 Files and Subprocesses.......... 267—279 Error Handling ................. 280—286 System and Library Calls ........ 287—326 Miscellaneous Points ............ 327—336 Examples ..................... 337—371 Resources .................... 372—378 Conclusion ..........................379 papers 1. M. Bishop, “Robust Programming,” handout for ECS 153, Introduction to Computer Security, Department of Computer Science, University of California, Davis. 2. M. Bishop, source code to the program lsu 3. M. Bishop, source code for the function mpopen 4. M. Bishop, source code to the function trustfile This page deliberately left blank. How Attackers Attack Programs … SANS 2002 Annual Conference How Attackers Attack Programs, and How to Write More Secure Programs Matt Bishop SANS 2002 ©2002 by Matt Bishop. Slide #1 All rights reserved. Author Information Matt Bishop Department of Computer Science University of California at Davis Davis, CA 95616-8562 email: [email protected] www: http://seclab.cs.ucdavis.edu/~bishop phone: +1 (530) 752-8060 ©2002 by Matt Bishop. Slide #2 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference Goals of This Talk • Show you how attackers look at programs for potential vulnerabilities • Show you how to write programs which are: – To be run by root (or some other user) – Are setuid or setgid to you (or root, or …) – Can't be tricked into doing what they are not intended to do ©2002 by Matt Bishop. Slide #3 All rights reserved. About This Talk • Principles, concepts broadly applicable – They apply to Windows NT/95/98/2000, MacOS X, and all other systems – This talk draws examples, applications from various flavors of both UNIX and Linux systems • Issues arise in multiple languages – Examples here are from C (with a bit of shell scripting) – Same rules apply to PERL, CGI programming on the web (especially CGI programming!), shell scripts, etc. ©2002 by Matt Bishop. Slide #4 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference More About This Talk • Examples are both current and historical – Sub-theme is that these problems are old and recurring and we need to start handling them – Historical ones are often cleaner examples than current ones because the systems were simpler • Focus on implementation, not design – Design principles critical to secure programming –A class in itself • So in the interests of time, we’ll just skim them ©2002 by Matt Bishop. Slide #5 All rights reserved. Brief Table of Contents Overview 1– 13 Attacking Programs 14– 20 Users and Privileges 21– 29 Environment Variables 30– 48 Buffer Overflows 49– 70 Numeric Overflow 71– 76 Verification and Validation 77– 92 Race Conditions 93–112 Denial of Service 113–121 Conclusion 122–123 ©2002 by Matt Bishop. Slide #6 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference Brief Table of Contents (con’t) Writing Better Security Programs 124–126 Design Principles 127–137 Users and Privileges 138–167 Environment 168–201 Verification and Validation 202–225 Race Conditions 226–266 Files and Subprocesses 267–279 Error Handling 280–286 System and Library Calls 287–326 ©2002 by Matt Bishop. Slide #7 All rights reserved. Brief Table of Contents (con’t) Miscellaneous Points 327–336 Examples 337–371 Resources 372–378 Conclusion 379 ©2002 by Matt Bishop. Slide #8 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference Overview Goal of this section – To define various terms, including what a vulnerability is • What is a privileged program? • How does a security policy affect this? ©2002 by Matt Bishop. Slide #9 All rights reserved. Key Concepts • privilege – Running with rights other than those obtained by logging in; or running as superuser • protection domain – All objects to which the process has access, and the type of access the process has ©2002 by Matt Bishop. Slide #10 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference Interesting Programs • Change privilege – Setuid, setgid programs • Assume atomicity of some functions – Checking access permission and opening a file • Trust environment – Programs that assume they are loaded as compiled – Programs that trust input to be well-formed – Programs that assume caller has cleaned up signals, open files ©2002 by Matt Bishop. Slide #11 All rights reserved. Heart of the Problem All vulnerabilities are defined with respect to a security policy, which says: – What the program is allowed to do • Access a particular directory – What the program is not allowed to do • Access any other files – Takes into account constraints imposed by system administration, organization procedures, law, etc. ©2002 by Matt Bishop. Slide #12 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference End of Overview Key points: • Privilege is not only setuid or setgid – If root runs a regular program, the resulting process is executing with privileges – If someone else runs one of your programs, the resulting process is executing with privileges • An attack is an attempt to violate the security policy – If violation occurs, attack is successful – If no violation of policy, attack failed ©2002 by Matt Bishop. Slide #13 All rights reserved. Attacking Programs Goal of this section – To explain how attackers look for problems, and show how they exploit them • Where to look • What to look for –A simple list; references have several models – Explore each list member in detail ©2002 by Matt Bishop. Slide #14 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference Where To Look • Network servers – Unknown users can access them • Local servers – They perform acts normal users cannot • Anything setuid or setgid – These have privileges • Shared resources – Privileged and unprivileged users both use these – This includes (local, remote) clients of servers ©2002 by Matt Bishop. Slide #15 All rights reserved. Network Servers • Accessible from throughout the network • Gives access to system – Attacker may not have access to account on target • Usually has privileges of some kind – root or daemon; may be only that of ordinary user • But you can usually get whatever you need from any of these • May make bogus assumptions – Weak authentication (identity from IP address) • May be poorly written ©2002 by Matt Bishop. Slide #16 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference Local Servers • Accessible through system entry point – Usually socket, shared directory, shared files • Usually has privileges of some kind – root, daemon, or some other system user • May make bogus assumptions – Determine requester’s identity from ancillary information (file ownership, etc.) • Initial environment may be poorly configured • May be poorly written ©2002 by Matt Bishop. Slide #17 All rights reserved. Setuid, Setgid Programs • Execute with privileges other than that of user • Executes in user’s environment – User’s environment may be incorrectly configured • Usually has privileges of some kind – root, daemon, or some other system user • May make bogus assumptions – Determine requester’s identity from ancillary information (file ownership, etc.) • May be poorly written ©2002 by Matt Bishop. Slide #18 All rights reserved. How Attackers Attack Programs … SANS 2002 Annual Conference Clients • Connect to (local or remote) servers • May not check input thoroughly – Browsers may pass environment information via command strings – If client is remote, can attack remote system with no other information beyond the server’s existence • Need not be privileged – Client connects to privileged
Recommended publications
  • The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual

    The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual

    The Samhain Host Integrity Monitoring System The Samhain Host Integrity Monitoring System This is version 2.4.3 of the Samhain manual. Copyright © 2002-2019 Rainer Wichmann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. This manual refers to version 4.4.0 of Samhain. Table of Contents 1. Introduction .............................................................................................................. 1 1. Backward compatibility ...................................................................................... 1 2. Compiling and installing ............................................................................................. 2 1. Overview ......................................................................................................... 2 2. Requirements .................................................................................................... 3 3. Download and extract ......................................................................................... 3 4. Configuring the source ......................................................................................
  • Cloaker: Hardware Supported Rootkit Concealment

    Cloaker: Hardware Supported Rootkit Concealment

    Cloaker: Hardware Supported Rootkit Concealment Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign 201 N Goodwin Ave, Urbana, IL 61801 {fdavid,emchan,jcarlyle,rhc}@uiuc.edu Abstract signers resorted to more complex techniques such as modi- fying boot sectors [33, 51] and manipulating the in-memory Rootkits are used by malicious attackers who desire to image of the kernel. These rootkits are susceptible to de- run software on a compromised machine without being de- tection by tools that check kernel code and data for alter- tected. They have become stealthier over the years as a ation [43, 13, 42, 21]. Rootkits that modify the system consequence of the ongoing struggle between attackers and BIOS or device firmware [25, 26] can also be detected by system defenders. In order to explore the next step in rootkit integrity checking tools. More recently, virtualization tech- evolution and to build strong defenses, we look at this issue nology has been studied as yet another means to conceal from the point of view of an attacker. We construct Cloaker, rootkits [31, 44]. These rootkits remain hidden by running a proof-of-concept rootkit for the ARM platform that is non- the host OS in a virtual machine environment. To counter persistent and only relies on hardware state modifications the threat from these Virtual Machine Based Rootkits (VM- for concealment and operation. A primary goal in the de- BRs), researchers have detailed approaches to detect if code sign of Cloaker is to not alter any part of the host oper- is executing inside a virtual machine [20].
  • A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools

    A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools

    International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-1, Issue-10, Dec-2013 A BRIEF STUDY AND COMPARISON OF, OPEN SOURCE INTRUSION DETECTION SYSTEM TOOLS 1SURYA BHAGAVAN AMBATI, 2DEEPTI VIDYARTHI 1,2Defence Institute of Advanced Technology (DU) Pune –411025 Email: [email protected], [email protected] Abstract - As the world becomes more connected to the cyber world, attackers and hackers are becoming increasingly sophisticated to penetrate computer systems and networks. Intrusion Detection System (IDS) plays a vital role in defending a network against intrusion. Many commercial IDSs are available in marketplace but with high cost. At the same time open source IDSs are also available with continuous support and upgradation from large user community. Each of these IDSs adopts a different approaches thus may target different applications. This paper provides a quick review of six Open Source IDS tools so that one can choose the appropriate Open Source IDS tool as per their organization requirements. Keywords - Intrusion Detection, Open Source IDS, Network Securit, HIDS, NIDS. I. INTRODUCTION concentrate on the activities in a host without considering the activities in the computer networks. Every day, intruders are invading countless homes On the other hand, NIDS put its focus on computer and organisations across the country via virus, networks without examining the hosts’ activities. worms, Trojans, DoS/DDoS attacks by inserting bits Intrusion Detection methodologies can be classified of malicious code. Intrusion detection system tools as Signature based detection, Anomaly based helps in protecting computer and network from a detection and Stateful Protocol analysis based numerous threats and attacks.
  • The Forseti Distributed File Integrity Checker

    The Forseti Distributed File Integrity Checker

    Cluster Security with NVisionCC: The Forseti Distributed File Integrity Checker Adam J. Lee†‡, Gregory A. Koenig†‡, and William Yurcik† †National Center for Supercomputing Applications ‡Department of Computer Science University of Illinois at Urbana-Champaign {adamlee, koenig, byurcik}@ncsa.uiuc.edu Abstract for a number of malicious actions. In many cases, the password used to log into a single node can be used Attackers who are able to compromise a single node to access a large number of nodes in the system, al- in a high performance computing cluster can use that lowing the attacker to utilize the vast computing and node as a launch point for a number of malicious ac- storage capabilities of the compromised cluster to carry tions. In many cases, the password used to log into out brute-force password cracking, launch distributed a single node can be used to access a large number of denial of service attacks, or serve illegal digital content. nodes in the system, allowing the attacker to utilize the Additionally, an attacker can listen to network traffic vast computing and storage capabilities of the compro- for other users to log into their compromised nodes in mised cluster to sniff network traffic, carry out brute- hopes of learning passwords for other accounts on these force password cracking, launch distributed denial of systems. service attacks, or serve illegal digital content. Often, The recent rise in popularity of grid computing has these types of attackers modify important system files exacerbated this problem by increasing the amount to collect passwords to other accounts, disable certain of damage that can be caused with a single compro- logging facilities, or create back-doors into the system.
  • Status and Projections of the NAS Program Frank R

    Status and Projections of the NAS Program Frank R

    https://ntrs.nasa.gov/search.jsp?R=19870015491 2020-03-20T10:46:12+00:00Z View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by NASA Technical Reports Server NASA Technical Memorandum 88339 . , Status and Projections of the NAS Program Frank R. Bailey EECGECTIOIS CP f Avail: NTlS P87-24924 CSCL 09B 63 Unclad 0080153 July 1986 National Aeronautics and Space Administration ~~ ~ NASA Technical Memorandum 88339 Status and Projections of the NAS Program Frank R. Bailey, Ames Research Center, Moffett Field, California July 1986 NASA National Aeronautics and Space Adminlstratlon Ames Research Center Moffett Field. California 94035 STATUS AND PROJECTIONS OF THE NAS PROGRAM by Dr. F. Ron Bailey to be presented at the SYMPOSIUM ON FUTURE DIRECTIONS OF COMPUTATIONAL MECHANICS ASME Winter Annual Meeting December 7-12, 1986 Anaheim, California ABSTRACT NASA's Numerical Aerodynamic Simulation (NASI Program has completed devel- opment of the initial operating configuration of the NAS Processing System Net- work (NPSN). This is the first milestone in the continuing and pathfinding effort to provide state-of-the-art supercomputing for aeronautics research and development. The NPSN, available to a nation-wide community of remote users, provides a uniform UNIX 1 environment over a network of host computers ranging from the new Cray-2 supercomputer to advanced scientific workstations. This system, coupled with a vendor-independent base of common user interface and network software, presents a new paradigm for supercomputing environments. Presented here is the background leading to the NAS Program, its programmatic goals and strategies, technical goals and objectives, and the development activ- ities leading to the current NPSN configuration.
  • I3FS: an In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University

    I3FS: an In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University

    I3FS: An In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University Appears in the proceedings of the 18th USENIX Large Installation System Administration Conference (LISA 2004) Abstract System administrators must stay alert to protect their systems against the effects of malicious intrusions. In Today, improving the security of computer systems this process, the administrators must first detect that an has become an important and difficult problem. Attack- intrusion has occurred and that the system is in an in- ers can seriously damage the integrity of systems. At- consistent state. Second, they have to investigate the tack detection is complex and time-consuming for sys- damage done by attackers, like data deletion, adding in- tem administrators, and it is becoming more so. Current secure Trojan programs, etc. Finally, they have to fix integrity checkers and IDSs operate as user-mode utili- the vulnerabilities to avoid future attacks. These steps ties and they primarily perform scheduled checks. Such are often too difficult and hence machines are mostly re- systems are less effective in detecting attacks that hap- installed and then reconfigured. Our work does not aim pen between scheduled checks. These user tools can be at preventing malicious intrusions, but offers a method easily compromised if an attacker breaks into the sys- of notifying administrators and restricting access once tem with administrator privileges. Moreover, these tools an intrusion has happened, so as to minimize the effects result in significant performance degradation during the of attacks. Our system uses integrity checking to detect checks.
  • Einführung in Z/OS Und OS/390

    Einführung in Z/OS Und OS/390

    Einführung in z/OS und OS/390 Dr. rer. nat. Paul Herrmannn Prof. Dr.-Ing. Wilhelm G. Spruth WS 2006/2007 Teil 3 z/OS Betriebssystem es 0101 ww6 wgs 09-99 System z und S/390 Betriebssysteme z/OS IBM große Installationen (OS/390, MVS) z/VSE IBM mittelgroße Installationen z/VM IBM Virtualisierung, Software Entwicklung TPF IBM spezialisierte Transaktionsverarbeitung UTS 4 Amdahl based on System V, Release 4 (SVR4) OSF/1 Hitachi Open System Foundation Unix z/Linux Public Domain Alle System z bzw. S/390 Betriebssysteme sind Server Betriebssysteme, optimiert für den Multi-User Betrieb es 0521z ww6 wgs 09-99 Transaction Processing Facility TPF 13. Oktober 2006. Die Firma Worldspan, ein weltweiter Anbieter von Reise-Reservierungs- systemen, hat sich für den Einsatz von sechs IBM System z9 Enterprise Class (EC) Mainframe-Servern entschieden. Worldspan will damit sein Angebot an elektronischen Datendiensten erweitern, um circa 700 Anbietern von Reiseangeboten und Millionen von Reisenden weltweit eine gemeinsame Plattform anbieten zu können. Worldspan setzt die neuen IBM System z9 EC Server ein, um sowohl Reisebüros als auch Anbietern von Online-basierten Reisediensten die Möglichkeit zur Nutzung des weltweiten Global Distribution System (GDS) zu geben, über das zum Beispiel die Bestellung und Buchung von Reiseprodukten von Flugzeugtickets, Hotels, Mietwagen und andere Reisedienstleistungen durchgeführt wird. Durch die Nutzung der Software „IBM Transaction Processing Facility“ (TPF) ist Worldspan in der Lage, 17.000 Kundenanfragen pro Sekunde auf
  • SM User Guide

    SM User Guide

    Oracle® Communications Tekelec Virtual Operating Environment Licensing Information User Manual Release 3.5 E93070-01 November 2017 Copyright ©2010, 2017 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
  • Joseph S. Mertz Jr. EDUCATION

    Joseph S. Mertz Jr. EDUCATION

    Jan 2020 Joseph S. Mertz Jr. H. John Heinz III College & Dietrich College of Humanities and Social Sciences Carnegie Mellon University Pittsburgh, PA 15213-3890 Phone: (412) 268-2540 Email: [email protected] EDUCATION: 1995 Carnegie Mellon University Ph.D. in Engineering and Public Policy 1983 University of Southern California M.S. in Computer Science 1982 Pennsylvania State University B.S. in Computer Science ACADEMIC APPOINTMENTS: Carnegie Mellon University 2018 – present: Director - Information Systems Program 2015 – present: Teaching Professor Joint 50/50 appointment: H. John Heinz III College Dietrich College of Humanities & Social Sciences Information Systems Program 2010 – 2015: Associate Teaching Professor Joint 50/50 appointment: H. John Heinz III College Dietrich College of Humanities & Social Sciences Information Systems Program 2005 – 2010: Associate Teaching Professor Joint 50/50 appointment: H. John Heinz III College School of Computer Science Spring 2009: Associate Teaching Professor Carnegie Mellon Qatar Computer Science Spring 2008: Associate Teaching Professor Carnegie Mellon Qatar Computer Science 2002 – 2005: Associate Teaching Professor Joint 50/50 appointment: Mertz-CV H. John Heinz III School of Public Policy & Management School of Computer Science 1996 – 2002: Co-Director Center for University Outreach 1994 – 1996: Post Doctoral Fellow Center for Innovation in Learning 1988 – 1995: Graduate Research Assistant Department of Engineering & Public Policy University of Puerto Rico 1986 – 1987: Visiting Professor Department of Electrical & Computer Engineering Illinois Benedictine College 1984: Adjunct Instructor Computer Science AWARDS: Mark Gelfand Service Award for Educational Outreach – 2012 Annual University honor for sustained, effective community service with academic coursework to enhance learning, and teach social responsibility. Nominated for the Martcia Wade Teaching Award – 2012 H.
  • Designing a New Infrastructure for ATLAS Online Web Services

    Designing a New Infrastructure for ATLAS Online Web Services

    EPJ Web of Conferences 245, 07030 (2020) https://doi.org/10.1051/epjconf/202024507030 CHEP 2019 Designing a New Infrastructure for ATLAS Online Web Ser- vices Sergio Ballestrero1, Franco Brasolin2, Arturo Sanchez Pineda3, Diana Alessandra Scannicchio4;∗, and Matthew Shaun Twomey5 1University of Johannesburg, South Africa 2Istituto Nazionale di Fisica Nucleare Sezione di Bologna, Italy 3INFN Gruppo Collegato di Udine and Università di Udine, Italy 4University of California Irvine, United States of America 5University of Washington, United States of America Abstract. Within the ATLAS detector, the Trigger and Data Acquisition system is responsible for the online processing of data streamed from the detector dur- ing collisions at the Large Hadron Collider (LHC) at CERN. The online farm is composed of ∼4000 servers processing the data read out from ∼100 million detector channels through multiple trigger levels. The capability to monitor the ongoing data taking and all the involved applications is essential to debug and intervene promptly to ensure efficient data taking. The base of the current web service architecture was designed a few years ago, at the beginning of the AT- LAS operation (Run 1). It was intended to serve primarily static content from a Network-attached Storage, and privileging strict security, using separate web servers for internal (ATLAS Technical and Control Network - ATCN) and exter- nal (CERN General Purpose Network and public internet) access. During these years, it has become necessary to add to the static content an increasing number of dynamic web-based User Interfaces, as they provided new functionalities and replaced legacy desktop UIs. These are typically served by applications on VMs inside ATCN and made accessible externally via chained reverse HTTP proxies.
  • Ecryptfs: an Enterprise-Class Encrypted Filesystem for Linux

    Ecryptfs: an Enterprise-Class Encrypted Filesystem for Linux

    eCryptfs: An Enterprise-class Encrypted Filesystem for Linux Michael Austin Halcrow International Business Machines [email protected] Abstract the integrity of the data in jeopardy of compro- mise in the event of unauthorized access to the media on which the data is stored. eCryptfs is a cryptographic filesystem for Linux that stacks on top of existing filesys- While users and administrators take great tems. It provides functionality similar to that of pains to configure access control mecha- GnuPG, except the process of encrypting and nisms, including measures such as user ac- decrypting the data is done transparently from count and privilege separation, Mandatory Ac- the perspective of the application. eCryptfs cess Control[13], and biometric identification, leverages the recently introduced Linux ker- they often fail to fully consider the circum- nel keyring service, the kernel cryptographic stances where none of these technologies can API, the Linux Pluggable Authentication Mod- have any effect – for example, when the me- ules (PAM) framework, OpenSSL/GPGME, dia itself is separated from the control of its the Trusted Platform Module (TPM), and the host environment. In these cases, access con- GnuPG keyring in order to make the process trol must be enforced via cryptography. of key and authentication token management When a business process incorporates a cryp- seamless to the end user. tographic solution, it must take several issues into account. How will this affect incremental backups? What sort of mitigation is in place to address key loss? What sort of education is 1 Enterprise Requirements required on the part of the employees? What should the policies be? Who should decide them, and how are they expressed? How dis- Any cryptographic application is hard to imple- ruptive or costly will this technology be? What ment correctly and hard to effectively deploy.
  • 17. Websphere Application Server

    17. Websphere Application Server

    17. WebSphere Application Server 17.1 z/OS as a Unix System 17.1.1 Unix Betriebssysteme Welche Server-Betriebssysteme findet man in der Praxis ? • Windows, verschiedene Varianten • Unix, verschiedene Varianten • i-Series, OS/400 • zSeries Betriebssysteme – z/OS, z/VM, z/VSE, TPF Welche wesentlichen Unix Varianten existieren ? • HP/UX • SunSolaris • IBM AIX • Siemens Sinix Unix Systeme sind weitestgehend, • MacOS (BSD) aber nicht 100 % kompatibel • Linux, einschließlich zLinux • z/OS Unix System Services Führende Unix Großrechner sind: • Integrity Superdome von HP mit Itanium Prozessoren und dem HP-UX Betriebssystem • M9000 bzw. SPARC M5-32 Server von Oracle mit Sparc Prozessoren und dem Solaris Betriebssystem. Ein verwandtes Produkt wird von der Firma Fujitsu unter dem Namen „SPARC Enterprise Server“ vertrieben. • System p von IBM mit PowerPC Prozessoren und dem AIX Betriebssystem Neben den proprietären Unix Dialekten ist auf diesen Rechnern auch Linux verfügbar. Performance Unix versus z/OS Die I/O Leistung eines Rechners wird gemessen in der Anzahl von I/O Operationen pro Sekunde unter realistischen Betriebsbedingungen. Konkrete Untersuchungen sind nie veröffentlicht worden, aber es wird allgemein angenommen, dass die z/OS I/O Leistung vielleicht um einen Faktor 3 - 10 höher als die I/O Leistung von großen Unix Rechnern wie Superdome und M9000 ist. 17-1 17.1.2 Was definiert ein Unix System ? Unix wurde ursprünglich von Ken Thompson und Dennis Ritchie an den Bell Telephone Laboratories für Rechner der Digital Equipment Corporation (DEC) entwickelt und 1971 erstmalig im praktischen Betrieb eingesetzt. Schon bald entstanden (fast) kompatible Implementierungen für andere Rechner. Aus Bemühungen um einen einheitlichen Unix Standard entstand die Portable Operating System Interface (POSIX).