OutlineGeneral PrinciplesCompartmentalizationDefense in DepthSlide 5Secure the weakest linkPromote PrivacyKeep It SimpleDon’t reinvent the wheelExample: Mail Transport AgentsSimplified Mail TransactionsExample: QmailSlide 13Structure of qmailSlide 15Slide 16Slide 17Slide 18Slide 19Least Privilege in QmailPrinciples, sendmail vs qmailLeast privilegeKeep it simpleBackup SlidesSecurity by Obscurity …Designing and Writing Secure CodeSecure Programming Techniques: An Abstract View of ProgramSecure ProgrammingComparisonComparison with other MTAsOutline•Designing and Writing Secure Code –General principles for architects/managers–Example: sendmail vs qmail•Compiler Prime: Run-time Environment and Program Organization•Buffer OverflowGeneral Principles•Compartmentalization–Principle of least privilege–Minimize trust relationships•Defense in depth–Use more than one security mechanism–Secure the weakest link–Fail securely•Promote privacy•Keep it simple•Consult experts–Don’t build what you can easily borrow/steal–Open review is effective and informativeHave you applied them in your design / evaluation?Compartmentalization•Divide system into modules–Each module serves a specific purpose–Assign different access rights to different modules•Read/write access to files•Read user or network input•Execute privileged instructions (e.g., Unix root)•Principle of least privilege–Give each module only the rights it needs•Minimize trust relationships–Clients, servers should not trust each other•Both can get hacked–Trusted code should not call untrusted codeDefense in Depth•Failure is unavoidable – plan for it•Have a series of defenses –If an error or attack is not caught by one mechanism, it should be caught by another•Examples–Firewall + network intrusion detection •Fail securely–Many, many vulnerabilities are related to error handling, debugging or testing features, error messages –Ensure that you handle errors–Do not expose system internals even in case of errors•Stack traces, internal errors, ... shown to clients–Test if your system fails securelyDefense in DepthCheck securityCheck securityApplication.dllApplication.exeCheck securityCheck securitySecure resource with an ACLApplication.dll[MSDN]Secure the weakest link•Think about possible attacks–How would someone try to attack this?–What would they want to accomplish?•Find weakest link(s)–Crypto library is probably pretty good–Is there a way to work around crypto?•Data stored in encrypted form; where is key stored?•Main point–Do security analysis of the whole system–Spend your time where it mattersPromote Privacy•Discard information when no longer needed–No one can attack system to get information•Examples–Don’t keep log of old session keys–Delete firewall logs–Don’t run unnecessary services (fingerd)•Hiding sensitive information is hard–Information in compiled binaries can be found–Insider attacks are commonKeep It Simple•Use standard, tested components–Don’t implement your own cryptography•Don’t add unnecessary features–Extra functionality more ways to attack •Use simple algorithms that are easy to verify–A trick that may save a few instructions may•Make it harder to get the code right•Make it harder to modify and maintain codeDon’t reinvent the wheel•Consult experts•Allow public review •Use software, designs that others have used•Examples–Bad use of crypto: 802.11b–Protocols without expert review: early 802.11i–Use standard url parser, crypto library, good random number generator, …Example: Mail Transport Agents•Sendmail–Complicated system–Source of many vulnerabilities•Qmail–Simpler system designed with security in mind–Gaining popularityQmail was written by Dan Bernstein, starting 1995$500 reward for successful attack; no one has collectedSimplified Mail Transactionsmbox mboxMail User AgentMail Delivery AgentMail Delivery AgentMail Transport AgentMail Transport AgentMail User Agent•Message composed using an MUA•MUA gives message to MTA for delivery–If local, the MTA gives it to the local MDA–If remote, transfer to another MTAExample: Qmail•Compartmentalize–Nine separate modules–If one module compromised, others not•Move separate functions into mutually untrusting programs•Always validate input from other modulesTHE BIG Qmail PICTUREtcpserver /tcp-env / inetdqmail-smtpd qmail-injectqmail-queueqmail-sendqmail-rspawnqmail-remoteqmail-lspawnqmail-localmbox / maildir /program deliveryMUAremote mailserverremote mailserverSMTP from network from localto localqmail-systemforwarded messageStructure of qmailqmail-smtpdqmail-localqmail-remoteqmail-lspawnqmail-rspawnqmail-sendqmail-injectqmail-queueIncoming SMTP mailOther incoming mailStructure of qmailqmail-smtpdqmail-localqmail-remoteqmail-lspawnqmail-rspawnqmail-sendqmail-injectqmail-queue•Reads the message and creates an entry in the mail queue•Signals qmail-sendStructure of qmailqmail-smtpdqmail-localqmail-remoteqmail-lspawnqmail-rspawnqmail-sendqmail-injectqmail-queue•qmail-send signals–qmail-lspawn if local–qmail-remote if remoteStructure of qmailqmail-smtpdqmail-localqmail-lspawnqmail-sendqmail-injectqmail-queue•qmail-lspawn–Spawns qmail-local –qmail-local runs with ID of user receiving local mailStructure of qmailqmail-smtpdqmail-localqmail-lspawnqmail-sendqmail-injectqmail-queue•qmail-local–Handles alias expansion–Delivers local mail–Calls qmail-queue if neededStructure of qmailqmail-smtpdqmail-remoteqmail-rspawnqmail-sendqmail-injectqmail-queue•qmail-remote–Delivers message to remote MTALeast Privilege in Qmail•Each module uses least privileges necessary•Each runs under different non-privileged UID in four groups: qmaild, qmailr, qmails, and qmailq–Except one as root•Only one run as root: qmail-lspawn (except qmail-start)–Spawns the local delivery program under the UID and GID of the user being delivered to–Always changes effective uid to recipient before running user-specified programPrinciples, sendmail vs qmail•Do as little as possible in setuid programs–Of 20 recent sendmail security holes, 11 worked only because the entire sendmail system is setuid–Only qmail-queue is setuid•Its only function is add a new message to the queue •Do as little as possible as root –The entire sendmail system runs as root •Operating system
View Full Document
Unlocking...