| pappy- | lets talk english |
|---|---|
| pappy- | Andrés L. Sclippa Argentina. "Unix Application Security Framework" |
| pappy- | *hihi* |
| pappy- | nice name |
| Human | aqui es la traduccion en espa?ol, cierto ? |
| damage | no al ingles |
| Human | ahh |
| pappy- | errr, yes |
| pappy- | i mean, no |
| pappy- | sorry |
| damage | la charla sera en español |
| pappy- | no clue what you are talking about :-) |
| Human | ahh la va a dar un argentino |
| damage | pappy- lol |
| Human | oks |
| damage | pappy- Human ask me if the presentation will be in english or not |
| damage | Human, sep |
| pappy- | i hope so, my spanish is, lets call it, rusty. |
| damage | jeje ok |
| pappy- | but i can work on that |
| albeiro | hm, it seems someone like systrace |
| Human | ayy la damaga bilingual |
| damage | jaja |
| Human | i can speak in english too :P |
| krocz | Human you help in translation at damage ?? |
| albeiro | but i will staty for a while |
| pappy- | i came here because somebody on the street outside put a flyer into my hands with the writing on it: free beer if you bring a chick. |
| damage | pappy-, you are waiting for the presentation right ? |
| Human | sure |
| Human | if you want :P |
| pappy- | well, i did not bring a chick, so i do not qualify for a beer, do i? |
| Human | lol |
| pappy- | cheer it up folks. |
| damage | pappy-, beer?? i read beer??? |
| Human | hahahah |
| Human | santa baltica <- ! |
| damage | ruega por nosotros |
| Human | hahahah |
| ACubanito | alguien quiere jugar star craft |
| ACubanito | alguien quiere jugar star craft |
| Human | ... |
| ACubanito | alguien quiere jugar star craft |
| ACubanito | alguien quiere jugar star craft |
| ACubanito | alguien quiere jugar star craft |
| damage | porfavor te dire.. dejate de wuear? |
| damage | :P |
| krocz | :) |
| krocz | ACubanito estamos a punto de iniciar una charla |
| krocz | y creo que aqui no es el lugar adecuado |
| ACubanito | y donde men |
| damage | cual quier parte menos aqui |
| ACubanito | por que |
| Tiger | ACubanito prueba en otro servidor. |
| pappy- | pipacs: what am i doing here. this stuff is spanish. |
| damage | pappy-, no! we will translate the presentation |
| damage | to the english |
| pappy- | is he late? am i not seeing the star? where is he, did he step on the red carpet yet? man, i am really excited! |
| pappy- | this is all spanish to me :-( |
| pappy- | they are talking about me |
| pappy- | i know it! |
| pappy- | its all me they are talking about. |
| pappy- | they are making a fun out of me because my cochones are too small. |
| damage | Nice to have you here again |
| felix | !startlog |
| jaime | felix: Estoy logueando el canal #redes en [http://felix.zapto.org/jaime/redes.html] |
| damage | for us is really satisfactory to do this kind of speech |
| damage | because of that, in this ocation we will present Andres L. Scippa |
| damage | a "Argentino" from the "Universidad tecnologica nacional Facultad Regional, Resistencia |
| damage | he is analist of security at www.linuxdevelopment.com.a |
| damage | recentrly he present a conference to us of "WBEM in Linux" |
| damage | on this time has prepared one presentation related it to |
| damage | "Unix Application Security Framework" |
| damage | we give the welcome to Andres |
| damage | please conect to http://170.210.180.9/umeet there you can find the mirrors of the presentation |
| damage | and a log for the people that arrives late |
| damage | you can make questions at #qc |
| damage | i will answer they here |
| damage | lets start |
| damage | off all attacks to UNIX systems |
| damage | im going to say when you must change the pic of the presentation, ok |
| damage | at the type of the DoS and buffer overflow are the must popular and dangerous |
| damage | (pic 2) |
| damage | on this presentation i will talk of how delete the second type of attack |
| damage | in UNIX all process run with an a identificator of user and group (UID/GID) |
| damage | this limits acces of that process to the OS recurses |
| damage | but its problematic that a lot of applications require a root privileges |
| damage | in *NIX u another privileges |
| Human | recurses = resources |
| damage | to work correctly (ej: to change password, need to access to devices |
| damage | <krocz> feistel, you will be based on one SO on special of in general ? |
| damage | in general |
| damage | in effect, determined syscalls privileged or to file systems like /etc |
| damage | so we find that all process run with root pivilegies |
| damage | while this process work like they wass designed, any problem |
| damage | i will care, in general, about UNIX |
| damage | they're asking me to speak a little slow (because of translation [OUR WORK LOL:P]) |
| damage | the problem appears when a attacker gets control of execution of a |
| damage | process and execute arbitrary code with process privileges |
| damage | to limit this, *NIX applications have used for years |
| damage | two forms, the SUID/SGID and the chroot jailing |
| damage | the firt idea its the next |
| damage | the process run normaly with one user with out pivilegies but |
| damage | when they require privilegiated access (like root for ex.) |
| damage | when they execute a syscall that changes temporaly the user of process |
| damage | for this motive, the binary must habe S bit activated |
| damage | <trulux> festel, when you speak about in general, chroot jailing |
| damage | you must speak about another kind of jails, like FreeBSD jails, and dont speak about chroot jails in general, to all Unixes |
| damage | trulux is right |
| damage | in this case, they refear to chroot jailing, basic in all UNIX |
| damage | avaible in all UNIX |
| damage | on FreeBSD this its more funtional |
| damage | ------------------------ |
| damage | # ls -aLF /usr/bin/passwd |
| damage | -rwsr-xr-x 1 root root 44705 Jul 1 00:49 /usr/bin/passwd |
| damage | ------------------------ |
| damage | you can see a binary with the activated bit |
| damage | finished the privilegiated execution the process come up to run with |
| damage | the limited privileges of the original user |
| damage | chroot jailing what does is to border to the process in filesystem with which if the process is hacked, the attacker |
| damage | it doesnt have access to the rest of filesystems |
| damage | this techniques offers a limited security |
| damage | the SUID/SGID and the chroot can change easily once that |
| damage | proccess has been comprometed |
| damage | the stack-smahing attack or buffer overflow attack appears when the procces |
| damage | require that external dates have to put in the buffer |
| damage | (really the buffer overflow its a special type of sttack-smahing, |
| damage | but we will take like sinonimous here to facilitate) |
| damage | <trulux> fesitel, the chroot can be compromised in execution time to various kinds of "tricks", from do a double chroot even to try kill proceses outside it |
| damage | how truluix says, chroot is really vulnerable |
| damage | or variable |
| damage | and the vulnerable application dont control exactly |
| damage | the size of those external data |
| damage | this makes that if data has a bigger size than buffer size |
| damage | that contains it |
| damage | at the time of storing it, contiguous parts of the memory |
| Human | <trulux> fesitel, the chroot can be compromised in execution time to various kinds of "tricks", from do a double chroot even to try kill proceses outside it |
| Human | how truluix says, chroot is really vulnerable |
| Human | or variable |
| Human | and the vulnerable application dont control exactly |
| Human | the size of those external data |
| Human | this makes that if data has a bigger size than buffer size |
| Human | that contains it |
| Human | to buffer, they are overwritted with the rest of that data content |
| Human | the problem comes when in structure that *NIX uses in memory |
| Human | of every process, so the area of memory next to buffers contains |
| Human | critical data, about the process that controls the execution flux of the same |
| Human | tihs allows attackers to insert machine code (shell codes) |
| Human | in applications vulnerables to buffer overflow, and make that way |
| Human | not contempled operations, with same privileges as process has |
| Human | (presentation n?4) |
| Human | in superior graphic, we see structure of area and memory of everything |
| Human | process |
| Human | there we found |
| Human | tipical structure of stack |
| Human | area of memory where it save temporal data of process |
| Human | all function C uses stack from stack pointer, upside in this order : |
| Human | buffers, local variables, frame pointer to past |
| Human | in retur direction (from this on function was called) |
| damage | finally the arguments of the function with which if the code does not control the size of the data to write |
| damage | on the buffers the next area of the memory(up at the pic) |
| damage | may be overwrite |
| damage | the down part of the picture show the tipical function C vulnerable of this attack |
| Human | the function strcpy() copies content of the variable inside $HOME enviorement, to |
| Human | buffer of 128 bytes |
| Human | because is no control about size of $HOME variable |
| Human | but if this one have more than 128 bytes, the ret of string must overwrite the old memory areas |
| Human | so that momment an attacker in this case can introduce shell code in variable $HOME, starting byte 129 |
| Human | and this shellcode will execute with process privileges |
| damage | <krocz> ouna forms to avoid the execution is leaving stack, in state "no execute" |
| damage | yes, this know at W^X an we will show more less |
| damage | for that the shell code overwrite the "return address" to the area of memory where is located the arbitraried inyected code |
| damage | and this will be executed when the vulnerable function finalizes and the execution of the process must return to the point |
| damage | from where it was called the function by that area of stack the attacker overwrites stack-smashing can |
| damage | <trulux> feister, no, W^X is of OpenBSD, there are more implementations: Stack Guard of Immunity, ExecShield |
| damage | abd Pax for example |
| damage | not an implementation |
| damage | is a technique |
| damage | can be classified in : |
| damage | * return adress: modify return direction |
| damage | *local variables or arguments: modifies that variables |
| damage | *previous frame pointer : modify pointer to previous frame |
| damage | now well |
| damage | one solution its audit the source code of the aplication for detect the vulnerable code, this mean the code that |
| damage | not are controling the size of the strings |
| damage | the tecnical series and the mechanism presentated here will form a framework |
| damage | where can run your *NIX applications with a proactive security |
| damage | as say, in case that doesnt occur a buffer overflow for a non detected vulnerability |
| damage | this attack will ve eliminated and confined or limited |
| damage | (diapo 6) |
| damage | ok, the first technic that conform our framework is a thing of design |
| damage | the technic of the separation of privilegies |
| damage | the idea is separate the code of the procces in two parts: |
| damage | 1 - the privilegiated process: use the syscall that require privilegiated permitions |
| damage | 2 - the non-privilegiated process: access to the rest of all syscall, this not require of a privilegiated acount |
| damage | so when the privilegiated process start make a fork of theyself and his son past to be a non-privilegiated process |
| damage | the idea is that interaction with user or with local or remote processes |
| damage | must be maked by NON-PRIVILEGED son |
| damage | because if this one is compromised |
| damage | the attacker must have his action range limited |
| damage | to understand this technique better |
| damage | that uses this technique |
| damage | the ntp engine process is the NON-PRIVILEGED process (this one runs as _ntp) |
| damage | that process comunicates throught a UNIX-domain socket (not tcp/ip accesable) |
| damage | with his father process, the ntpd master running as root |
| damage | and the ntpd master only uses two privileged syscalls |
| Human | IMSG_ADJTIME and IMSG_HOST_DNS (set time and call resolver library) |
| damage | now if the attacker inyect by the UDP 123 shell code only the process |
| damage | ntp engine will be comprometed |
| damage | in this case the ntp engine process run in chroot on /var/empty |
| damage | with which the same one that directory has left prisoner |
| damage | (diapo 7) |
| damage | to now so our aplications have: |
| damage | * SUID/GUID bits |
| damage | * chroot jailing |
| damage | * privilegiated separation |
| damage | we see now a mechanism to protect the memory |
| damage | the mechanism W^X (less W xor X) |
| damage | the idea is that the areas of memory have a control of access |
| damage | similar to RWX bits of UNIX filesystem |
| damage | so, with W^X, the OS defines a default politc in determinated areas of memory |
| damage | this way both areas are execution or writte access, but never both |
| damage | excepting if the application requires it explicitly |
| damage | MMU=memory management unit (unidad de administracion de memoria) |
| damage | a bit X in each page of memory |
| damage | the OS only it must activate o deactivate this bit and ready |
| damage | but i386 haven't this bit |
| damage | but W^X, we can emulate in this architecture, thanks to support of |
| damage | segmentation memory |
| damage | and a DATA (high memory area) |
| damage | when it starts process (every part of code is in DATA) |
| damage | the code pass to low area |
| damage | while the data pass to high area DATA |
| damage | and the OS keeps a politics aobut W in DATA and X in CODE |
| damage | as say, in a i386, the W^X is emulated by software |
| damage | and the techniques seen until now doesnt generate a overhead, and not require to modify the code |
| damage | the two next make overhead and one of this modify the code |
| damage | (diapo 8) |
| damage | show the aplications now, and it see more secure: |
| damage | * SUID/GUID bits |
| damage | * chroot jailing |
| damage | * privilege separation |
| damage | * W^X |
| damage | the problem in the last case its that we depending of exclusivly of the OS and the arch |
| damage | although the execution of code us limited, stack still can be altered |
| damage | the ProPolice or Stack Smashing Protector (SSP) is a develop of the divition of investigation |
| damage | in Tokio of IBM |
| damage | this works with gcc to transform a |
| damage | vulnerable C function in a no vulnerable C function |
| damage | with that you obtain a code wich functions are protected against |
| damage | stack corruption |
| damage | for this, ProPolice realizes two things |
| damage | <trulux> feistel, there are many implementations of SSP: |
| damage | http://wiki.debian-hardened.org/SSP/ProPolice_Implementations |
| damage | the idea of the presentations it work on independent tecnology of the OS |
| damage | for the many flavors of unix |
| damage | <trulux> feistel, really its not obtain any protected code, still be vulnerable but it call to the function guard |
| damage | of SSP before to execute any type of strange operation, in the start of the execution |
| damage | SSP also orders the memory of the function, also of guard |
| damage | the fact that you cant make a overflow, maket ist invulnerable |
| damage | 1.- Reorder stack |
| damage | up you see classcstack |
| damage | down you see the rebult stack and modified by propolice |
| damage | the variables and the fixes are in opposite order |
| damage | in new memory disposal |
| damage | (A) that doesnt contain fixes or variable pointers |
| damage | (B) contain strings and structs |
| damage | (C) no contain strings |
| damage | in the only place where a destruction of the stack can begin is the (B) |
| damage | the previous thing is the key of ProPolice |
| damage | And it adds the code in the prologo and the epilogo of the function |
| damage | lets see how this thing works |
| damage | in the function prologue |
| damage | (code that executes when funcition es claled) |
| damage | ProPolice generates a randmo number, the "guard" |
| damage | as you can see, the "guard" is the first that appears in the stack |
| damage | remember that stack grows from up to down) |
| damage | and thats why in prologue it generates |
| damage | and thats why in prologue it generates |
| damage | a "guard" copy, that is keeped in a protected area, outside a overflow range |
| damage | the functiont not ends untill it returs to the function it calls |
| damage | which compares "guard" original with the one of stack if these are different the execution of the process finalizes and log is generated, asi everything shellcode injected is not executed |
| damage | by the location of return address the only form to modify it is by the of overflow in buffers |
| damage | (B) |
| damage | for the locations of the local vars in (C) |
| damage | these are protected by modification since the destruction begins in (b) |
| damage | the arguments (a) on the other hand are protected by "guard". |
| damage | ProPolice has some exceptions that are due to consider |
| damage | that they are listed in the site of ProPolice and is of interest for programmers in C |
| damage | in UNIX that wish to protect themselves with ProPolice |
| damage | (diapos 9) |
| damage | perhaps it would be left if to accounts something on types of "canarios" clearer; |
| damage | the conference includes many subjects and the idea is to |
| damage | give a point for a deep investigation but by the interested ones |
| damage | I do not want to enter the qualifications of the canaries (another name for guard) trulux, wants to collaborate with a real example says that it has everything prepared, we will do it at the end of the presentation |
| damage | also of ProPolice exists other similar implementations but all of them have limitations and weaknesses in the figure can see a comparison -- those interested in the subject, can remain later ;-) --- |
| damage | a summary of the alternatives |
| damage | * libsafe: is a library that adds a control on some popular functions of strings as strcpy() and gets() |
| damage | work like middleware that intercepts the calls to these functions and makes the necessary control |
| damage | * StackGuard: it uses the same concept of "guard" that it calls "canario" address (during the prologo, after of buffers) |
| damage | which is verified in the epilogo, does not use "guard" or "canarios" |
| damage | as much StackGuard and StackShield have famous vulnerabilities and also generates overhead greater than ProPolice |
| damage | "Phrack Magazine - Volume 0xa Issue 0x38" |
| damage | although ProPolice is enough safe and robust it generates overhead that there is to consider |
| damage | at the time of deciding if to protect or ours I do not our code with SSP in diapos 10 and 11 |
| damage | can see some benchmark of the equipment of development of ProPolice |
| damage | (diapo 12) |
| damage | our application now already is a framework quite reliable: |
| damage | * SUID/GUID bits |
| damage | * chroot jailing |
| damage | * privilege separation |
| damage | * W^X |
| damage | * ProPolice |
| damage | nevertheless... we suppose that a vulnerability in some of the previous systems is detected, for example in ProPolice (as it were detected before in StackGuard and StackShield) |
| damage | we needed something include in those circumstances our UNIX applications do not even jeopardize the security |
| damage | of whole system |
| damage | the last complete component of ours framework so is: |
| damage | Systrace is a mechanism that runs partly in userland and partly in kernel |
| damage | this mechanism catches all syscalls that a process uses and makes a control of access |
| damage | with them as if firewall it was is to say |
| damage | we defined politicas of control of Systrace access at level of syscalls for example, |
| damage | we can limit that a process connects (bind()) to certain ports TCP and the rest is denied |
| damage | or for example, to prevent the writing, |
| damage | limiting the use of write() or to limit write() specified archives or filesystem |
| damage | imagines now that a process is it jeopardize and an attacking scale privileges |
| damage | with since we have limited syscalls that can use the process |
| Session Time: Thu Dec 16 00:00:00 2004 | |
| damage | or in the way in which it uses them, the attack is confined or limited which the application was developed to do as they are seen in the figure the applications with Systrace they run in sandbox controlled, where they single can do what we |
| damage | let to them do |
| damage | in kernel "System Call Gateway" it captures all the calls syscalls of the sandboxed application, |
| damage | as if this was a Proxy is in charge to execute true syscalls and to give back the result to the applications |
| damage | as this is transparante, the application does not find out the presence of syscall gateway but before syscall gateway must determine if the politics allow the execution of so syscall for that I modulate of Systrace in kernel is in charge to communicate |
| damage | with I modulate of userland, which reviewing the politicas determines if syscall must be allowed or refuse if the politic say "allow" then syscall is executed normally otherwise, no, and the application receives the code of error |
| damage | (<0) |
| damage | systrace work too like a IDS (Intrusion Detection System) |
| damage | or it can generate alarms or notifications for the case in which syscall something is denied for example an entrance in syslog can be like this |
| damage | <feistel> ------------------------------------ |
| damage | <feistel> Dec 2 01:31:11 openbsdtest systrace: deny user: _identd, \ |
| damage | <feistel> prog: /usr/libexec/identd, pid: 27046(1)[12989], \ |
| damage | <feistel> policy: /usr/libexec/identd, filters: 24, syscall: native-fsread(5), \ |
| damage | <feistel> filename: /etc/spwd.db |
| damage | <feistel> Dec 2 01:31:11 openbsdtest identd[27046]: /etc/pwd.db: Operation not permitted |
| damage | <feistel> Dec 2 01:31:11 openbsdtest identd[27046]: \ |
| damage | <feistel> getpwuid() could not map uid (25) to name |
| damage | <feistel> -------------------------------------- |
| damage | it is important to stress that Systrace works if in kernel there is support for draws up of the applications, is to say to be able to follow the sign of syscalls that a process uses |
| damage | <kroc<> feistel, what status have systrace in linux? |
| damage | its finishing the patch |
| damage | <krocz> feistel that of the ACL to the syscalls, come implemented in the patch of grsec |
| damage | <trulux> krocz, in the must of the MAC systems, RBAC, RSBAC, SELinux, etc.. |
| damage | it is right |
| damage | but my idea its present a framework for UNIX |
| damage | also like me more Systrace :-) |
| damage | afters everyone can choice how make a framework :-) |
| damage | (diapos 13) |
| damage | how see a systrace politic ? |
| damage | <feistel> ------------------------------ |
| damage | <feistel> Policy: /bin/ls, Emulation: native |
| damage | <feistel> native-munmap: permit |
| damage | <feistel> [...] |
| damage | <feistel> native-stat: permit |
| damage | <feistel> native-fsread: filename match "/usr/*" then permit |
| damage | <feistel> native-fsread: filename eq "/tmp" then permit |
| damage | <feistel> native-fsread: filename eq "/etc" then deny[enotdir] |
| damage | <feistel> native-fchdir: permit |
| damage | <feistel> native-fstat: permit |
| damage | <feistel> native-fcntl: permit |
| damage | <feistel> [...] |
| damage | <feistel> native-close: permit |
| damage | <feistel> native-write: permit |
| damage | <feistel> native-exit: permit |
| damage | <feistel> ---------------------------------- |
| damage | soon like in all ACL, there is an expression to evaluate and an action to take in this case |
| damage | permit or deny sees that this single case /bin/ls has access of reading to filesystem (fsread) /usr/ and |
| damage | to the directory /tmp Systrace brings some utiles tools a first generator of politics |
| damage | a first monitoring generator of politics that the applications to sandboxing and generates one politic |
| damage | with all syscalls that uses, with action permit during the monitoring you use the application as in |
| damage | the called production all syscall is registered and so is generated the politics |
| damage | with all "permit" in your home once you have the politic you apply with something like |
| damage | # systrace to it - /usr/sbin/inetd |
| damage | and ready! /usr/sbin/inetd already this in his sandbox! a grafical tool (to see the figure) |
| damage | another characteristic can also attend you in the preparation of the politics |
| damage | that I like of Systrace is the support for scaling of privileges, |
| damage | which eliminates the necessity to use the dangerous SUID/GUID these politics see something asi: |
| damage | <feistel> ------------------------------------------- |
| damage | <feistel> native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then permit as root |
| damage | <feistel> native-bind: sockaddr eq "inet-[0.0.0.0]:22" then permit as root |
| damage | <feistel> native-fsread: filename eq "/dev/kmem" then permit as :kmem |
| damage | <feistel> ------------------------------------------- |
| damage | finally which there is of the cost of overhead of Systrace because it depends on the application, |
| damage | there can see some now benchmarks if we have good framework! |
| damage | * (we removed to the dangerous SUID/GUID thanks to Systrace) |
| damage | * chroot jailing: we confined the application to filesystem |
| damage | * privilege separation: we hid I modulate with privileged access of the clients |
| damage | * W^X: we establish politics to the vulnerable areas of memory |
| damage | * ProPolice: we protect our application against stack-smashing attack |
| damage | * Systrace: we bordered to the application in sandbox controlled |
| damage | --fin--- |
| krocz | CLAP CLAP CLAP CLAP CLAP |
| krocz | CLAP CLAP CLAP CLAP CLAP |
| krocz | CLAP CLAP CLAP CLAP CLAP |
| krocz | CLAP CLAP CLAP CLAP CLAP |
| krocz | CLAP CLAP CLAP CLAP CLAP |
| damage | pense que no terminaba nunca |
| krocz | excelent job damage |
| damage | jeje |
| krocz | jajaja |
| krocz | salio larga |
| damage | sep |
| krocz | pero de nuevo te luciste :) |
| damage | y con human tambien |
| damage | :D |
| krocz | ahora chicos a remojar los dedos |
| krocz | en agua |
| damage | voi a comer algo jejeje |
| krocz | sigue logeando en el #linux |
| Max | :) |
| damage | ok |
The Organizing Comittee
