7CCSMSEN Security Engineering

Homework 4

MSc Computing and Security

Q1: What should the architecture of a network application under Unix be that processes potentially hostile data?

A: The application should split into two parts:

  • one that does the sensitive work and has high privileges.
  • one that “listens” to the internet and communicates in a sanitised way to the highly privileged part.

Q2: What is a Unikernel system and why is a Unikernel preferable on a web server system (in contrast to a traditional general purpose operating system like Linux). Hint: What is the idea of a Unikernel?

A: A Unikernel runs a single program that implements the functions of a service. It is ideal for hosters, over multi-purpose operating systems, as it gives a much faster startup time and more security as the host only performs the set functions that the developer has programmed. The attack surface is much smaller.

Q3: What does the principle of least privilege say?

A: A program should only be ran with the minimal amount of permissions it needs to perform its tasks. This helps reduce the attack surface by restricting what a program’s user can do.

Q4: How can you exploit the fact that every night root has a cron job that deletes the files in /tmp? (Hint: cron-attack).

A: /tmp is readable, writable and executable by anyone. If there is a cron job that performs rm /tmp/*/*, the shell will first expand the */* to give a listing of all of the files in the /tmp directory and then perform rm /tmp/file1 /tmp/file2 etc.. An attacker could abuse this as an under-privileged user by first creating a large amount of files in the /tmp directory so the shell expansion takes a long time. They can then create a symlink from a file thats going to be removed to /etc/passwd while the shell expansion is running. The cron will then remove the /etc/passwd file which will then allow the attacker to log in as root.

Q5: In which of the following situations can the access control mechanism of unix file permissions be used?

- (a) Alice wants to have her files readable, except for her office mates.
- (b) Bob and Sam want to share some secret files.
- (c) Root wants some of her files to be public.

A: B and C.
for a). Alice could perform chown alice:office <files> chmod 0704 <files> so that her office mates are unable to read the files but herself and everyone else are, but users can drop their group memberships.
for b). Bob and Sam could create a group just for themselves called bobsam and then perform chown bob:bobsam <files> and chmod 0770 <files>. Of course they need to be wary of who administers the system as the administrator could add more people to their group.
for c). Root can perform chmod 0777 <files>

Q6: Explain what is meant by Kerckhoffs’ principle.

A: Security by obscurity is not an option and so everything about the cryptosystem should be public knowledge apart from the key.

Q7: How can a system that separates between users and root be of any help with buffer overflow attacks?

A: If an attacked service is ran as root, then the attacker will be able to run arbitrary commands as root. Running the service as a user with less privileges limits what an attacker could do.

Q8: What does it mean that program passwd has the setuid bit set? Why is this necessary?

A: The setuid bit tells the operating system to run the program as the owner of the program. For example, a program owned by bob, but ran by john will normally run the program as john without the setuid bit. With the setuid bit, the program will always run as bob. It is necessary for the passwd program to have this in order to make changes to /etc/passwd when a user wants to change their own password.

Q9: Under Unix (for example BSD Unix, MacOSX) the login program has the setuid bit set. Why is this needed? In Linux login does not have setuid bit set. What are the consequences of this choice?

A: The main idea here is that it is possible to reduce your security level (root -> user) but it is not possie to elevate your security level.

Q10: The variable PATH is a shell variable in UNIX which lists all directories that should be automatically searched for a program. For example if PATH contains the directory /usr/bin abd the program ls is stored there, then a user does not need to type /usr/bin/ls, but ls suffices. The question is why is it a bad idea in general, but in particular for root, to have . as the first entry in ones variable PATH?

A: Having . in your path would result in every program in the current directory being callable by their just their filename (i.e. program instead of ./program). An attacker could place a malicious executable called ls in a directory that root runs programs from, that will override the /usr/bin/ls program that root actually wanted to use.

Q11: A Unix directory might look as follows:

$ ls -ld . * */*
drwxr-xr-x 1 ping staff     32768  Apr 2  2010 .
-rw----r-- 1 ping students  31359  Jul 24 2011 manual.txt
-r--rw--w- 1 bob  students  4359   Jul 24 2011 report.txt
-rwsr--r-x 1 bob  students  141359 Jun 1  2013 microedit
dr--r-xr-x 1 bob  staff     32768  Jul 23 2011 src
-rw-r--r-- 1 bob  staff     81359  Feb 28 2012 src/code.c
-r--rw---- 1 emma students  959    Jan 23 2012 src/code.h

with group memberships as follows:

  • Members of group staff: ping, bob, emma
  • Members of group students: emma

The file microedit is a text editor, which allows its users to open, edit and save files. Note carefully that microedit has set its setuid flag. Fill in the access control matrix below that shows for each of the above five files, whether ping, bob, or emma are able to obtain the right to read (R) or replace (W) its contents using the editor microedit.

A:

If we only try to R/W through microedit:

manual.txt report.txt microedit src/code.c src/code.h
ping R- R- RWX
bob R- R- RWX
emma

If we try to R/W via cat or echo:

manual.txt report.txt microedit src/code.c src/code.h
ping RW -W R-X R-
bob R- R- RWX
emma RW R– R- R-

Q12: In the context of which information flow should be protected, explain briefly the differences between the read rule of the Bell-LaPadula access policy and the Biba access policy. Do the same for the write rule.

A: The Bell-LaPadula and Biba policies offer secrecy and integrity, respectively.
The Bell-LaPadula’s read rule allows a user to read an object if the user has the same or a higher security level than the object; whereas Biba’s read rule states that a user can only read objects that are in a the same or higher security level.
A use case for Bell-LaPadula’s read rule would be in a simple military scenario where some workers won’t have clearance to read TOP SECRET documents (no read-up). Biba’s read rule is better suited for maintaining integrity where workers can only look at ‘approved’ documents (no read-down).
The Bell-LaPadula’s write rule allows a user to write to an object only if the object’s security level is at least as high as the user’s. Biba’s write rule states that a user can only write to objects that are in the same or lower security levels.
A use case for Bell-LaPadula’s write rule would be an electronic exam system. The students would write their answers to a higher security level where the examiners can mark their work, but other students cannot read their answers (no read-up). Biba’s write rule could be used for preventing students writing the exam paper questions, but allowing the examiners to write the questions. (no write-up)

Q13: (Optional) This question is for you to provide regular feedback to me, for example what were the most interesting, least interesting, or confusing parts in this lecture? Please feel free to share any other questions or concerns.

A: I am unsure about what you were expecting for the first question. With regards to linux permissions, I had assumed that a file with rwx—rwx would still be readable by the group as it allows ‘everyone’ to, but it was really interesting to learn that this isn’t the case!