- Applied Information Security: A Hands-on Approach - PDF Free Download
- Applied Information Security
- Applied Information Security (Hands On Approach).pdf -...
- Applied Information Security: A Hands-on Approach
After presenting the basics of security principles, virtual environments, and network services, the authors explain the core security principles of authentication and access control, logging and log analysis, web application security, certificates and public-key cryptography, and risk management. The book concludes with appendices on the design of related courses, report templates, and the basics of Linux as needed for the assignments.
The authors have successfully taught IT security to students and professionals using the content of this book and the laboratory setting it describes. The book can be used in undergraduate or graduate laboratory courses, complementing more theoretically oriented courses, and it can also be used for self-study by IT professionals who want hands-on experience in applied information security. The authors' supporting software is freely available online and the text is supported throughout with exercises.
B Report Template. The lower layers implement basic functionality e. By organizing network protocols this way, a higher-layer protocol can use a lower-layer protocol as a service. This is analogous to layering elsewhere, such as applications running on an operating system running on hardware. These protocols use the transport layer to transfer messages between clients and servers. The transport layer provides end-to-end message transfer independent of the underlying network.
It also splits the messages into segments and implements error control, port number addressing application addressing and additional features. The transport layer wraps layerspecific information around the segments and passes them to the internet layer. This wrapping and unwrapping is called encapsulation and decapsulation, respectively. The internet layer, also called the IP layer, solves the problem of sending datagrams across one or more networks.
To do so, the internet layer identifies and addresses the source host and the destination host and routes the datagrams hop by hop from the source to the intended destination. When the next hop is determined, the link layer implements the physical transmission of data to the next host. Upon reaching the final destination, the encapsulated datagram is passed upwards, layer by layer, until the entire message reaches the application layer for further processing.
Figure 3. On the client, the application-layer message is passed down the network stack with each layer adding information headers and trailers to the data it receives. At the link layer, the physical representation of each datagram called a frame is sent over wireless LAN using the We provide below more details on the internet layer and the transport layer. It delivers transport layer segments across networks and provides a connectionless datagram transport service.
The datagram is encapsulated with an IP header specifying the source and destination addresses. The protocol then passes the encapsulated datagram to the link layer, where it is sent over the next intermediate link and iteratively forwarded over multiple nodes to the destination. IP is unreliable in that datagrams may be lost or reordered en route.
Examples are when the destination host is unreachable or when an IP datagram has exceeded the time to live, which is defined in the IP header and refers to the maximum number of hops between the source and the destination host. In the following, we introduce the relevant properties of both protocols that we need for this and subsequent chapters. Transmission Control Protocol TCP is a connection-oriented protocol that provides reliable host-to-host communication. Segments are ordered according to sequence numbers defined in the TCP 30 3 Network Services header, and lost segments are retransmitted.
Before any data is sent over a TCP connection, the source and destination hosts establish a transport-layer connection by executing a three-way handshake. If the target host is not listening on the requested TCP port i. After successfully establishing a connection, data can be reliably transmitted. Note that data may be transported, and thus confirmed, multiple times within a session.
Moreover data may be transmitted in either direction. Data segments are sent without first establishing a connection, and reception of a segment does not require sending a response. Whereas TCP guarantees reception of transmitted segments in the correct order by tracking message sequence numbers, UDP is an unreliable transport protocol.
Although reliability of transport and correct order of datagrams seem to be important guarantees provided by a transport layer protocol, there are applications which prefer the transport speed of an unreliable protocol over the delay introduced by reordering or retransmission of segments. Examples include video-streaming or telephony. In this case retransmission is preferred over session establishment. The adversary may also actively determine which ports are open on the target machine by sending IP datagrams and analyzing the responses.
This is called port scanning. The simplest way to determine the set of open ports on a target machine is to try to connect to every single port. If completion of the handshake fails if the port is closed, the target typically responds with a TCP reset segment the adversary considers the port to be closed. However, this method has an important drawback: It typically leaves traces on the target machine, such as error messages or a large number of interrupted sessions.
To prevent or complicate detection, there exist so-called stealth scans. This type of scan exploits the fact that operating systems react to invalid connection attempts. Based on answers to invalid attempts, an adversary can decide if the corresponding port is open or not. Since these attempts do not result in established sessions, the application waiting for input from the corresponding port will not create error messages. Moreover port scanners such as Nmap have additional options that try to circumvent firewalls. Firewalls, in turn, may try to detect or prevent stealth scans.
The TCP specification leaves some details unspecified and implementations of these details 32 3 Network Services often differ, for example, how an operating system reacts to invalid connection requests. This enables one to determine the TCP fingerprints of different operating systems. A detailed explanation of how OS-detection works can be found on the Internet [9, 17]. Recall that Nmap is installed on mallet and it must be started with root privileges to use some options.
Port 22 is usually used by SSH. Port 24 is reserved for private mail systems and is typically closed. Adding the option -v to the command yields additional output information. By adding the option -s one can choose from a number of different scan methods. Another well-known scan method is the previously mentioned stealth scan. This scan method allows an adversary to scan a host without sending packets from his real IP address. Explain how this works. These tools have the additional advantage that any output of the process serving the port will be displayed.
This output might provide useful hints identifying the service and possibly its version. Since UDP scans are slow Why? Port scans, especially stealth scans, have the disadvantage that they may attract attention. Indeed, when carried out on the Internet, your Internet service provider is likely to be upset. Problem 3. Why are they then called stealth scans?
From this perspective, what is the advantage of a SYN scan compared to other stealth scan methods? Besides these techniques, there exist more sophisticated 34 3 Network Services tools called vulnerability scanners. Additionally, these tools use databases of known vulnerabilities to determine potential weak points of the target systems.
Such services willingly provide, for example, their name, their version number, patchlevel, loaded modules, and sometimes even user names and configuration details. The tool consists of a server openvasd that must be started as root and the client openvasclient which can be started as user mallet.
Perform a scan of the machine alice using the scan assistant. This is quite time consuming so you might take this opportunity for a coffee break. Impatient readers may even choose to skip this exercise. Exploits may be found on the Internet or developed by the adversary himself.
Both tools find the unusual open TCP port This service processes input received from the network. Whenever input is processed that originates from a potentially malicious source, the question arises of whether the input is properly validated. Are there input strings that might result in an insecure state on bob? The echo service running on bob is indeed vulnerable to a buffer overflow.
We will now exploit the vulnerability in two different ways. First, we will use the Metasploit Framework  on mallet to open a root shell on bob. Second, we will use a simple Python script on mallet to open an additional port on bob that can be used by an adversary for later attacks.
Both of these methods exploit the same vulnerability. Metasploit is preinstalled on mallet and will be used in the following to exploit the buffer overflow vulnerability.
We now use a Python script to insert code, so that a root shell will be bound to TCP port Having successfully executed the script, an adversary can connect to the root shell on bob using, for example, Netcat or Telnet. Note that you may need several tries to successfully exploit the vulnerability. Once the exploit succeeds, you may need to restart the echo daemon on bob to perform this attack again. X was primarily designed for thin clients terminals that share the processing power of a more powerful machine server. X was designed to be used over the network and offers a broad range of possibilities to access the input and output to and from a host running X over the network.
Nowadays, standard desktop installations of Linux systems e. However, it is still a convenient way to administer a remote machine over a network. To restrict access to the X server, the X Window system offers a range of methods to enforce access control. Users are often not aware of the security implications that this simple configuration command has on their systems. Similarly, it is possible to modify or eavesdrop on keyboard or mouse inputs on the remote machine.
This denotes in the above example that the logical screen 0 of the physical display 0 on alice is to be used. Another application providing similar features is xwatchwin. Using xwatchwin it is also possible to access only a single window on the target machine. For example, for the xclock application this is done in the following way.
Window 0x1ea: Machine: alice. Note that there are various reasons why xwatchwin may fail to display single windows. However, the display of the root window should always work. Other powerful commands are xkill and vinagre. Read the manual pages and determine what they do. An administrator has the same possibilities as an adversary plus the advantage of not having to hide his actions.
In addition, an administrator has full access to the system and all of its components. As a first step to securing a system, it is important to identify any potentially dangerous processes. Generally, any process that receives input from the outside poses a potential security risk. Special attention should be paid to processes that run as root or with root privileges. Using the command lsof, one can obtain a list of all open ports and the corresponding processes.
The output additionally shows the user who is running the process. This allows us to decide whether the process is really needed and if any restrictions are necessary. If the process is not essential, it could be shut down to improve security. Valuable sources of information include the following. For example, consider a log analyzer that analyzes the content of log files on a regular basis using statistical methods. An example is Webalizer, which analyzes web server log files. This type of application is often started periodically by cron and is thus not permanently running.
A typical attack against a log analyzer is a remote log injection, where the adversary introduces arbitrary strings into the log file. An example of a tool that allows adversaries to insert arbitrary input into a log file is the SSH server. Jun 24 For example, it might be possible to restrict access to local users or users from a set of allowed IP addresses. Note that IP addresses can be spoofed. A process might run under a separate user ID.
However, most of the services have start-up and shutdown scripts that should be used instead as they ensure a well-arranged shutdown of the service in question. Understanding how these scripts 40 3 Network Services work is also necessary if you want to terminate a process e. Any process that is started during the boot phase is either directly or indirectly started by an initialization program. System services in Linux systems have traditionally been started using some variant of the System V init system.
The scripts for a runlevel are executed in a prespecified order whenever that runlevel is entered, e. In the past, services were sequentially started. To speed up this process, there are new mechanisms that allow services to be started asynchronously. An example of such a system is Upstart, which is used in many modern Linux distributions. Upstart uses an event-based init daemon. Processes managed by this daemon are called jobs, which are automatically started and stopped by changes that occur to the system state.
Upstart is backward compatible in that it can handle traditional System V init scripts. Whereas Upstart is used on many modern desktop Linux system, the System V init system is still widely used on Linux server platforms. The virtual machine hosts alice and mallet use Upstart, whereas the server platform bob uses the System V init system. In the following we will focus on the System V init system as it is used on host bob. Whenever such a system boots, the following stages occur: BIOS: loads the boot sector from floppy, cd-rom, hard-drive, etc.
It is responsible for loading and transferring control to the operating system kernel. Kernel: initializes the devices, mounts root file system and starts the init process PID 1. Further information about runlevels and the enabling and disabling of start scripts can be found on the following manual pages: init, inittab, insserv and cron.
The following list contains some popular configuration and start-up files. Note that the list is not complete and that configuration approaches and consequently file names differ among Unix and Linux variants. It is consulted whenever the runlevel changes, e. The default runlevel and the location of the start and termination scripts for each runlevel are defined here. Note that manual configuration of runlevels is error-prone. Under Debian, the command sysv-rc-conf provides a simple GUI for this task. However, many modern Linux distributions no longer use the concept of starting network services centrally by one program e.
Instead they use start scripts for the corresponding program in the runlevel directories. Special care must be taken with daemons, such as inetd or xinetd, that start and control other programs services on their own. Most operating systems offer the possibility of invoking programs on a regular basis.
There are different ways to enable the periodic execution of programs. In Linux systems, periodically executed tasks typically use cron, the time-based job scheduler. There are several configuration files that can initiate the start of a program or service. Which commands did you use? For example, a web server should be accessible from the Internet, at least on port In such cases there are multiple options for restricting access to the service.
Firewall: A firewall could be installed on a separate machine monitoring every system access from the network. Similarly, it could be installed on the same machine that provides the service, controlling IP datagrams received over the network. Firewalls are typically compiled into the kernel or added as a module to the kernel. See, for example, the manual page for iptables.
Incoming TCP requests for a given service are not directly forwarded to the corresponding process, but are first inspected by the wrapper. Under Linux the most prominent TCP wrapper is tcpd, which works in combination with the inetd services. In the inetd. Thus every incoming request on a given port is forwarded to tcpd. Note that in contrast to the firewall, inspection of incoming requests is processed in user-space, not in the kernel.
For more information on these programs see the manual pages for tcpd and hosts access. Configuration: Some services have their own mechanism to restrict or control access. Consider, for example, user authentication on an Apache web server. Access control to directories can be defined in the corresponding configuration file of the Apache server. These kinds of control mechanisms typically allow the use of protocol-specific information in access decisions, for example, user names or details about the requested resource.
Whenever you apply one of the above countermeasures you must check whether it actually works as expected. If the mechanism involves a start-up script in one of the runlevel directories, do not forget to check whether the script is properly executed whenever the corresponding runlevel is entered. Afterwards we will use tcpd to protect the FTP server on alice in a similar way.
This is because a UDP scan cannot distinguish an open port from a port that is not responding. The opposite approach is the whitelist approach, where authorized connections are explicitly permitted and everything else is prohibited by default. Compare these two approaches. This time we do not need to change kernel data-structures. Instead we simply modify the corresponding configuration files.
Identify a security problem that arises when symbolic names are used. How can alice be configured to enforce the policy given below? Choose appropriate methods to implement this policy. Do not forget to test whether your measures are effective. Under what circumstances does system hardening makes sense? Question 3. Explain your answer. Now suppose that you have placed your server behind a firewall, and have used Nmap to find potentially forgotten open ports. What could be the problem? Explain the underlying principle. Why is this a possible security problem and how can you prevent it?
Chapter 4 Authentication and Access Control Access control is the means by which access to system resources is restricted to authorized subjects. Access control has a wide scope and can be found in hardware and software, at all levels of the software stack.
- PDF Applied Information Security: A Hands-On Approach | Ebook.
- The Sacred Writings of Saint Hippolytus?
- Lamore difforme (Italian Edition).
- The Boy Scout Camera Club, or, the Confession of a Photograph.
This includes memory management, operating systems, middleware application servers, databases and applications. In this chapter we study access control, focussing on access to remote computers, as well as access to files and other resources stored on computers. You will learn how to use Secure Shell and you will be able to configure it according to your needs.source
Applied Information Security: A Hands-on Approach - PDF Free Download
You will learn the concept of file system permissions in a Linux-based environment and how to apply this. You will also learn to autonomously configure access restrictions at the level of operating systems. Finally you will be able to use this knowledge on your own personal computers. In this process, the user provides his claimed identity together with evidence in the form of credentials.
If the authenticating system accepts the evidence, the user is successfully authenticated. Authentication is usually a prerequisite for authorization to use system resources, i. The most common authentication mechanisms are based on user names and passwords. The system verifies the credentials presented by the subject against informaD.
There are numerous alternatives for authentication, such as one-time passwords e. There are also various options for storing authentication information. Since Telnet does not use any encryption mechanisms, the entire session including the exchange of authentication credentials can easily be intercepted. On mallet start the password sniffer dsniff. Using the option -m enables automatic detection of protocols and -i defines the interface the sniffer should listen to. Connected to bob.
Applied Information Security
You have mail. This circumvents the risk incurred by entering a password, which could be intercepted by an adversary. Authentication is only based on the user name and the corresponding IP address. Rsh also suffers from security vulnerabilities. Any password transmitted is sent in the clear. Moreover, its IP address-based authentication can be exploited by IP address spoofing where the adversary fabricates IP datagrams containing a fake source IP address.
Finally, after login all subsequent information is also sent in the clear and is not authenticated. Problem 4. What is a fundamental argument against authentication based on MAC addresses in most network settings? It solves many of the security-related problems of rsh and Telnet. Since SSH encrypts all communication, it provides secure connections that are resistant against interception and it offers protection against message manipulation as well. Note that in debug mode only one connection can be established and sshd quits immediately after the connection is closed.
By default, the debug information is written to the standard error output. In order to analyze the specific steps, we redirect the error output to the standard output first and then pipe the standard output to the command less. You can use tcpdump or Wireshark on mallet to convince yourself that no plaintext information is sent.
Most users apply SSH as just described, using a user name and password. But SSH also offers the option to remotely log in without entering a password. Instead of the IP address-based authentication of rsh, public key cryptography may be used. When carrying out the following experiments, it may help to also read the corresponding manual pages of sshd, ssh and ssh-keygen.
In order to preserve the comfort of rsh, we abandon the option of using a passphrase -N "" , i. Your identification has been saved in alice-key. Your public key has been saved in alice-key. Instead of comparing string representations of fingerprints, images can be compared. The authentication is based on the knowledge of the private key. SSH has numerous options. For example, you can restrict clients to executing predefined commands only, and you can deactivate unnecessary SSH features such as port forwarding or agent forwarding.
As an example, the following restricts Alice to executing the command ls -al on bob. For these kinds of tasks, the no-pty option is recommended, which prevents allocating a pseudo terminal. The execution of interactive full-screen programs is also prevented e.
Applied Information Security (Hands On Approach).pdf -...
What is the main threat that still remains? In order to improve the security of a system, private keys should only be stored in encrypted form. However, it can be annoying to re-enter the passphrase repeatedly. For such situations, OpenSSH provides a program named ssh-agent. When using it, the passphrase must be entered only once per login session and key, i. To add an identity, you simply use the ssh-add command. You can repeat the above steps and generate a new key pair e.
Every time you use the newly generated identity to access bob, you are requested to enter the passphrase. Try it! Try it out and afterwards log out alice from alice. Now you will be asked to enter the passphrase for the key again every time you access the key. For every file, the permissions to read, write, execute or any combination thereof, are individually defined for the three classes of users: user, group and others.
We will see additional concepts later, but even this simple model suffices for most practical problems and it is both easy to understand and administrate. What is their meaning for directories? Find the answers through experimentation! Just prepend sudo to the above command.
Also replace with the path to the actual directory you want searched. Which files or directories might not be configured properly? Which permissions could be more restrictive? When creating new objects in the file system, the default permissions are important. Although default file permissions depend on the program that creates the new object, the permissions are commonly set to for files and to for directories.
The user can influence the default file permissions for newly created files by defining a corresponding user mask umask value. This value can be set with the umask command. Incorrectly set user masks may result in newly created files to be readable or even writable for other users.
Why is this a good default? Note that not all Unix-like systems behave in this way. Some systems inherit the group from the parent directory. Hint: The invocation order is described in the manual page of bash. This is because these operations do not change the file itself but only entries in directories.
This is not a problem in most cases. However in a shared temporary directory, this can be a serious problem since every user is allowed to manipulate arbitrary files in the directory. The problem can be solved using the sticky bit, which ensures that only the owner of a file or root can rename or delete a file.
Even more fine-grained permissions and restrictions are possible using file attributes. Provide an example where it would make sense to use each of these attributes. Note that after removing the access bit of a directory e. By just removing the read bit of a directory e.
Now change the user to bob su bob and try to read the file: 4. Is this variant also prone to potential security problems? If so, what are these problems? Within the kernel, user names and group names are represented by unique non-negative numbers. Note that some Linux distributions do not use UPGs but instead assign new users to a systemwide default group such as staff or users.
The Linux kernel assigns to every process a set of IDs. We distinguish between the effective, real and saved user ID the situation is analogous for group IDs and we omit their discussion. The real user ID coincides with the user ID of the creator of the respective process. Instead of the real user ID, the effective user ID is used to verify the permissions of the process when executing system calls such as accessing files.
Usually, real and effective IDs are identical, but in some situations they differ. This is used to raise the privileges of a process temporarily. If the setuid bit is set, the saved user ID of the process is set to the owner of the executable binary, otherwise to the real user ID. The real user ID still refers to the user who invoked the program. Example 4. Since this binary is owned by root, the saved user ID of the respective process is set to 0 and the effective user ID is therefore also set to 0 whenever a user executes passwd.
Since the real user ID still refers to the user, the program can determine which password in the file the user may alter. For example, if user bob with user ID 17 executes the command passwd, the new process is first assigned the following user IDs: real user ID: 17 saved user ID: 0 effective user ID: 17 The program passwd then invokes the system call seteuid 0 to set the effective user ID to 0. Because the saved user ID is indeed 0, the kernel accepts the call and sets the effective user ID accordingly: real user ID: 17 saved user ID: 0 effective user ID: 0 Commands like su, sudo and many others also employ the setuid concept and allow an ordinary user to execute specific commands as root or any other user.
Setuid programs are often classified as potential security risks because they enable privilege escalation. If the setuid bit of a program owned by root is set, then an exploit can be used by an ordinary user to run commands as root. This might be done by exploiting a vulnerability in the implementation, such as a buffer overflow. However, when used properly, setuid programs can actually reduce security risks.
Note that for security reasons, the setuid bit of shell scripts is ignored by the kernel on most Linux systems. One reason is a race condition inherent to the way shebang! When a shell script is executed, the kernel opens the executable script that starts with a shebang. Next, after reading the shebang, the kernel closes the script and executes the corresponding interpreter defined after the shebang, with the path to the script added to the argument list.
Now imagine that setuid scripts were allowed. Then an adversary could first create a symbolic link to an existing setuid script, execute it, and change the link right after the kernel opened the setuid script but before the interpreter opens it. An adversary could now proceed as follows to run his own evilScript.
Since nice alters the scheduling priority to the lowest possible, the fourth command is likely to be executed before the interpreter opens temp. Hence, evilScript. How could an ordinary user be given the ability to change his own password without a setuid program? Note that instead of setuid, setgid can be used in many cases. Setgid is generally less dangerous than setuid.
The reason is that groups typically have fewer permissions than owners. For example, a group cannot be assigned the permission to change access permissions. Could the setuid programs in the last problem be setgid instead of setuid? However, as with programs written in other programming languages, shell scripts may contain security vulnerabilities.
Therefore shell scripts must be designed, implemented and documented carefully, taking into account secure programming techniques as well as proper error handling. We already discussed security flaws related to file system permissions.
- Teacher Lesson Plans: Great Expectations.
- Applied Information Security: A Hands-On Approach.
- Recommended for you;
- La Négresse du Sacré-Coeur (Blanche) (French Edition).
- Cuando Pedro llega a España (Spanish Edition)?
- THE CONFIDENT INVESTOR: Learn How To Invest With Confidence In A Turbulent Market.
- The Four Seasons Collection: A Spring Affair, A Summer Fling, An Autumn Crush, A Winter Flame.
Furthermore, we pointed out that on modern Linux systems the kernel ignores the setuid and setgid bit of shell scripts by default. Therefore, some administrators run their shell scripts with root permissions to ensure that all commands used in the script have the permissions they require. In doing so, they give the script too many permissions, thereby contradicting the principle of least privilege. In this section we introduce some common pitfalls, possible attacks and ways to prevent them.
Background on shells is given in Appendix C. The following example shows how an adversary may abuse symbolic links to undermine system integrity. Because of other operations, designated in the script by Finally, execute the above shell script with root permissions. To prevent such attacks, a script should check for symbolic links before using a file and take appropriate actions such as exiting the script.
In the attack in Sect. What is this command primarily used for? Many modern Linux systems provide the command mktemp for safely creating temporary files. Implement what you have learned so far to create the temporary file. The script now looks as follows:! XXX echo "This is the log entry. What can the adversary still do? In general you should not trust externally provided inputs, and this is also the case when users can make their own assignments to these variables. Users may maliciously choose inputs that change the behavior of your script.
We saw an example of this in Problem 4. Explain what an adversary could do when using relative paths. To make your scripts robust against maliciously configured environment variables you may overwrite them at the start of the script. For example, you can define the paths for system binaries as follows:! This prevents the adversary from injecting unintended input. Think carefully about what your script will consume and what you want it to produce. This time, the script reads a password provided by the user. If the user enters the correct password, the script prints a secret to the command line.
Another good practice is to sanitize the input by removing undesired characters. In the following example, only alphanumeric characters are accepted and all other characters are removed. See the manual page of the command tr for more information. However, there are still good reasons to subdivide disk space into multiple smaller partitions.
Often quotas are defined for system users in order to prevent them from filling a partition or even an entire disk. What kinds of limits can you set? What is the difference between a soft limit and a hard limit? In most settings, users are restricted in how much disk space they can write.
Such a setting nevertheless allows an adversary to exhaust space in a world writable directory without debiting his block quota at all. Under some circumstances, the adversary would be able to fill an entire partition despite existing quotas. The following example shows you how this could work. For the example to work, switch the user on alice to bob su bob.
What can the adversary accomplish with such an attack? How can this problem be solved? Whenever possible, world writable directories should be moved to a partition separate from the operating system. For a system-wide temporary directory, a RAM disk could be used. In order to jail a process in a new root directory, we will have to provide all the necessary commands we want the process to be able to execute within this chroot environment.
As an example, we will execute the simple script chroot-test. Note that in this section the term root does not refer to the superuser root but to the root node of the file system. Then make it executable and execute it. Hence, we will have to provide the binaries and necessary libraries for bash and ls in the new environment.
We therefore first create a bin and a lib directory and then copy all the necessary files. Since we also copied bash and its dependencies, you can also execute an interactive shell in the jail and try to escape. We will now apply this mechanism to the remote access on alice. OpenSSH offers the opportunity to jail the users that are logging in remotely by restricting the files and directories that they may access. We will use the change root environment built above.
Note that you need to be root to execute the next command. You could use this mechanism to build more complicated environments. Then, analogously to the above, you could create different environments for every user and thus restrict them to specific sets of allowed commands within their own home directories. What difficulties do you expect in terms of the administration and the operation of such environments? Note that whenever an adversary gains superuser access within a chroot environment, there are different possibilities to escape from the jail. One is based on the fact that not all file descriptors are closed when calling chroot.
A simple C program 66 4 Authentication and Access Control could be written that exploits this fact. More restrictive solutions than chroot exist, such as virtualization. However, chroot offers a simple and straightforward way to restrict processes and their abilities. In each of these cases, what are the respective subjects and objects i.
What kinds of authorization policies are typically enforced by the access control mechanism? Question 4. Explain two of these. Briefly explain these attributes. Name two such attributes and a security application for each of them. A description of such an attack is given below. The setting is depicted in Fig. Explain how the adversary can use the technique described in the attack to access a server behind the firewall.
That is, describe the chain of events that leads to information being transmitted from the internal possibly secret server to the adversary. Describe two countermeasures that could prevent such an attack. These countermeasures should not be overly restrictive. For example, closing the firewall for all connections to the Internet would not be an option.
The objective of logging is to make these events transparent and comprehensible. The log files can be used to analyze and optimize services as well as to detect and diagnose security breaches. Many logging mechanisms are not configured optimally in practice. Important messages go undetected because of the large number of log entries that are triggered by irrelevant events.
Users and administrators often do not even know where to search for specific log files and how to configure the associated logging mechanisms. There are a number of tools available that support administrators with the task of keeping track of log files. Particularly important are tools that analyze the log files. These files often contain many entries which on their own are meaningless or simply not relevant to security.
It is necessary to correlate and filter these entries in order to summarize events and detect suspicious or even dangerous incidents. Furthermore, tools exist that automatically raise an alarm or initiate countermeasures when there is evidence that malicious activities are taking place. Furthermore, you will be able to explain why logging is important, in what situations a deeper analysis of log data can help, and which problems arise with logging and log analysis.
In particular, you will be able to explain how the integrity of log data can be compromised and to what extent log information really reflects the actual status of a system. Finally, you will be able to plan and implement mechanisms to analyze log information for a specific system.
These programs need other options for sending messages to users or system administrators. This enables the administrator to divert the output into one or more log files. Write to file: Many programs write their messages directly to one or more log files. Syslogd: Many programs route their messages to a central program called syslogd, which writes the received messages to different log files according to predefined rules. This makes it possible to collect related messages from different programs in a single log file, e. This in turn makes it easier for administrators to correlate and analyze the relevant information.
In addition, syslogd offers the option of sending log messages over a network to other machines, so that log information from multiple machines can be collected centrally. In the following, we will examine rsyslogd reliable and extended syslogd. One reason is that there is a strict separation between the code and data in kernel space and that in user space.
Therefore, kernel messages must be handled differently. Usually, klogd then uses the syslog API to dispatch the log messages. The program dmesg is used to display the contents of the kernel ring buffer. Problem 5. In particular, when should rsyslogd be avoided? In addition to program-specific log files, there are also system-wide ones which centrally collect messages from different programs.
Therefore, there are associated tools for viewing their contents, such as who 1 , last 1 and lastlog 8. To do so, you must first derive the process ID of rsyslogd. Briefly explain the logging mechanisms and why they are applied. Which programs use them?
Use the manual page of rsyslog. In particular, restrictive access authorization or specific file attributes such as append only are typically used to provide protection against ordinary users without root privileges. However, whenever an adversary gains root access, such methods can be circumvented. To begin with, rsyslogd does not authenticate users.
Shutdown immediately 5. The message created above is indistinguishable from a real message, created by the kernel itself. Even binary files like wtmp can be manipulated using a simple C-program, when the adversary obtains root access. Undesirable entries can be removed or altered arbitrarily. These are weaker notions that only require manipulations to be detectable.
A remote centralized log server has several advantages, which we have already described. In the following, consider how such a log server can be compromised and what countermeasures can be taken. Be creative in your solution! Such a string might, for example, be the result of an error message generated by a system call. However, it might also originate from user input, such as a user name entered in a login procedure. The processing of log messages, for example, using log analysis tools, thus requires input validation to prevent potential problems such as buffer overflows or code injection.
When this is done, the files are created afresh after a predefined period of time or when a specific size is reached. Files rotated out are usually associated with the current date and are deleted or archived at regular intervals. Find the configuration file for logrotate on alice and change it so that all log files are compressed after rotation.
Applied Information Security: A Hands-on Approach
Before you do this, create a snapshot of the virtual machine and switch back to the snapshot after the experiment in order to have non-empty log files for the log data analysis that will follow later in this chapter. Typically the monitored activities are reported to a management system that correlates information from multiple monitors.
Intrusion detection systems may additionally be extended with intrusion prevention systems IPS , which take countermeasures when suspicious activities are reported. In this section we will focus only on IDSs. A distinction is commonly made between host-based and network-based IDSs. Host-based systems run directly on the monitored machine and can analyze relevant information on the machine such as log files, network traffic and process information.
Network-based systems run on dedicated hosts and are often integrated into a network as probes. Such systems overhear network communication but do not communicate on the network themselves and are therefore difficult to attack. Some host-based systems search a given system state a static snapshot of the system at some time point for signs of a possible break-in. This is done by comparing the given state to a previously captured state in order to identify differences that suggest malicious behavior. Alternatively, the tool may search the given state for specific evidence of a break-in, for example, a known attack pattern.
Other host-based systems check for occurrences of known attack patterns on the running machine in real time. This includes analyzing network traffic, log entries, running processes and the like. Anomalies can be detected during intrusion and specialized countermeasures can be taken to mitigate attacks. Alternatively, the administrator can be informed. In what follows, we will focus on host-based systems that search for static differences only. It may also be necessary to collect and correlate log information from different sources.
What files do you have to check for this? The use of grep makes sense whenever an administrator has a concrete suspicion that requires confirmation. The Simple Watcher Swatch enhances this approach by making it possible to find specific expressions in a log file and to define corresponding actions that are triggered when these expressions occur.
The relevant patterns and actions can be defined in a swatch configuration file. Color the switch to superuser mode red and color the switch back green. What does your Swatch configuration file contain? Swatch can even be used to permanently observe a file by using the option -t. However Swatch is a simple tool and there are many more sophisticated alternatives like LogSurfer, which are not covered here. However, log file analysis is not the only way to detect attacks.
Adversaries often leave additional evidence elsewhere. Failed buffer-overflow attacks, for example, lead to core dumps except when they are disabled. Moreover, whenever an adversary has been successful, he needs a place to save programs and data. Adversaries are often highly creative and go to great lengths to hide their files from administrators.
We will return to this question shortly in Sect. Rootkits typically hide files and processes by modifying system binaries like ps and ls such that these programs do not return all the correct information. Additionally, the behavior of the kernel can be manipulated by modifying kernel modules. For example, it is possible to replace arbitrary system calls and to modify kernel-specific data structures. The only help in such situations is to boot from trusted media like a floppy disk or a CD. This program performs a series of tests and can detect numerous widely used rootkits.
Furthermore, it detects network interfaces in promiscuous mode and altered files like the log files lastlog and wtmp mentioned above. Check alice for possible rootkits. Thus it is good practice to put programs like chkrootkit on removable or read-only media. There are several tools for integrity checks that are more powerful than this simple solution. These tools allow administrators to define which directories or files should be checked according to given criteria.
Furthermore, these tools work with different algorithms in order to minimize the probability that a specific file is replaced by another file with precisely the same checksum. What is checked? What cannot be checked? This database will be used for comparison when performing integrity checks later on. After the database aide. Looks okay! What is the difference between mtime and ctime? The above example was rather simple. We will now put everything together and configure alice by using the configuration file that was shipped with the default installation of AIDE.
Use the given AIDE configuration file and add your selection lines. Explain the benefits that they provide to an adversary. Question 5. Why is this case especially critical, compared to the case where an adversary has not yet gained these rights? Fortunately, you have an external backup of the system. So you decide to compare the MD5 checksums of system-relevant files. How would you proceed?