DOC PREVIEW
FSU CIS 5930 - Unix Security

This preview shows page 1-2-3-4-5-6 out of 17 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Unix SecurityClassifying vulnerability typesDimensions of taxonomyVulnerability classTime and DomainsNumber of components and sourceExample: The Xterm vulnerabilityClassifying the xterm vulnerabilityReading passwordsDetection and mitigationDetection and mitigation (2)Detection and mitigation (3)Detection and mitigation (4)Detection and mitigation (5)Improper validationDetection and mitigation (7)PowerPoint PresentationUnix SecurityAssessing vulnerabilitiesClassifying vulnerability typesSeveral models have been proposed to classify vulnerabilities in UNIX-type OsesE.g., M. Bishop’s “A Taxonomy of UNIX System and Network Vulnerabilities’’ (95)Stated goals of The Taxonomy:Description should be useful for the purpose of designing intrusion detection mechanisms;Techniques provided for finding vulnerabilities of each type;Techniques provided for mitigating their threatDimensions of taxonomyThe taxonomy considered:Vulnerability classTime of introduction Exploitation domainEffect domainMinimum component numberSourceVulnerability classFrom Protection Analysis study:1. Improper protection (initialization and enforcement)1a. Improper choice of initial protection domain1b. Improper isolation of implementation detail1c. Improper protection1d. Improper naming1e. Improper de-allocation or deletion2. Improper validation3. Improper synchronization3a. Improper indivisibility3b. Improper sequencing4. Improper choice of operand or operationTime and DomainsTime of introduction1. Development2. Maintenance3. OperationExploitation domain/Effect domain: Numbering indicates:1. Nothing else is affected2. Network sessions are affected3. Hardware is affected4. Network sessions and hardware are affectedNumber of components and sourceMinimum number of components: Refers to the number of software modules (programs) that must be involved for the vulnerability to be exploitedDirectly impacts the complexity of monitoring for attacks that exploit the vulnerabilitySource: Where the vulnerability was discovered and publishedAffects how likely is that the vulnerability will be exploited, e.g. if automated scripts are availableExample: The Xterm vulnerabilitymknod foo pCreates a device (file) that implements FIFOxterm -lf fooLaunches an xterm with foo as its log filemv foo junkRenames foo as junkln -s /etc/passwd fooCreates symbolic link (alias) to system password filecat junkOpens the other end of a FIFO file, effectively creating a pipe from xterm log to stdout t hrough /etc/passwdClassifying the xterm vulnerabilityVulnerability class: 1c, Improper changeTime of introduction: 1, developmentExploitation domain: 1, UID of xterm programEffect domain: 1, any protection domainMinimum number: 2, xterm process; another process to move file & link password file to nameSource: Posted to USENETReading passwordsType: 1e. Improper de-allocation or deletionIntroduction time: 1. DevelopmentExploitation domain: 1, Group kmem protection domainEffect Domain: 1, Any protection domainMinimum number: 1, Process reading terminal bufferSource: M. Bishop, USENET postingDetection and mitigationImproper choice of initial protection domainTools such as tripwire can be used to create a database of system files and their access rightsDifficult to manually evaluate against abstract policies since there is no formal access control structure in UNIXRequires computation of the access control closure for a particular user classDetection and mitigation (2)Improper isolation of implementation detailEach software component that may affect the protection architecture must be analyzed to decide whether it implements checks at the correct locationExample: The NIS used to implement checks in the clients to prevent attempts to add (e.g. privileged) accounts in the system. However, anyone could write a program to directly connect to the daemon and perform the addition of accounts. Here, it was improper to delegate the check to clients; the operation should be protected by the daemon.Detection and mitigation (3)Improper changeAssumptions about data consistency are not valid in practice: e.g., the xterm attackE.g. of pairs of system call sequences that expose to improper change flaws:access open give read/write access to protected fileaccess unlink delete system-critical fileaccess chroot remove file-system visibility restrictionscreat chown improper change of ownershipopen rename move file to system locationTechniques from software testing and/or pattern matching are requiredDetection and mitigation (4)Improper nameName collision (Trojan horses)Same object, two names (and permission sets)Files (hard links in UNIX)Process IDs (re-use of ID after termination)Simple scanning detects issues of name collision and hard linksFor process ID re-use, it becomes imperative to insert checks in programs to detect the termination of any processes it communicates withDetection and mitigation (5)Improper de-allocation/deletionMemory de-allocated but not cleaned/erasedAllow for programs to read contents written by other processesAuxiliary structures not cleaned at deletionDenial-of-service attack (historic attack on the Process table)Use of de-allocated memorySoftware testing techniques are useful in detecting such problemsImproper validationVerify return values from system callsVerify validity of argumentsSwitch statement have default casesPerform range-checkingUse functions that return error checking information whenever availableDetection and mitigation (7)Improper indivisibility Not properly checking locking mechanismsTime-Of-Check-To-Time-Of-Use issues (TOCTTOU)Improper choice of operand/operationViolation of modularity in designManipulation of data in practice does not correspond to


View Full Document

FSU CIS 5930 - Unix Security

Download Unix Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Unix Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Unix Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?