UNIX SECURITY and COMPUTER FORINSICS PRESENTED TO DR.LOAI AL TAWALBEH New York Institute of Technolo

1
UNIX SECURITY andCOMPUTER FORINSICS PRESENTED
TO DR.LOAI AL TAWALBEH New York Institute of
Technology- Ammans campus-2007

• MOHAMMED HUSSAIN

2
An operating system

• The OS is a program that acts as an intermediary
  between the user (application programs) and the
  hardware resources
• OS interacts with hardware and manages programs.
• Programs not expected to know which hardware they
  will run on. Thus they cant manage their self
• OS provides a safe environment for programs to
  run.

3
What is an Operating System?
4
Unix architecture kernel

• Program always resides in memory.
• Has direct access to the hardware.
• Manages processes, memory, and performs all
  housekeeping.
• Only one copy shared by all users.

5
Shell

• A program or command invoked only when the user
  logs in. so its called function from the kernel
  by command or graphical interface.
• At least one shell is invoked by every user, so a
  system may have several different shells running
  simultaneously.
• Interface between the user and the kernel.

6
UNIX Architecture
User
Shell which executes the binary -cp, mv, grep,
tar, who, ps
Kernel
Hardware
7
Interacting with the Shell

• The shell prints a prompt and waits for you to
  type in a command.
• The shell can deal with a couple of types of
  commands
• shell internals - commands that the shell handles
  directly.
• External programs - the shell runs a program for
  you.

8
Types of commands

• External program on disk which could be
• a binary executable (written in C, C).
• a script file (like a shell or perl script).
• Internal command of the shell which could be
• a builtin (like cd, pwd, etc.)
• an alias defined by the user that invokes the
  disk or internal version in a specific manner.

9

• Why security?
• Availability
• Confidentiality
• Integrity (system files)

10

• We need to identify the capabilities that UNIX
  OS handled to perform the levels of security at
  the low and high level of operating system.
• files and directories and the permission are the
  main compoundant for such a system

11
Ordinary step in any secure OS

• PROPLEM
• Secure the OS from un wanted users
• And to secure the internal processes from each
  other
• SOLUTION
• Define specific domain that each user/process can
  access

12
Domain implementation

• Two domain groups
• User
• Superuser (can do everything, UID0)
• User domain group
• Domain user-id (UID)
• Domain switch accomplished via file system.
• Each file has associated with it a domain bit
  (setuid bit SUID bit).
• When file is executed and setuid on, then
  effective user-id is set to owner of the file
  being executed. When execution completes user-id
  is reset (exit() for child process ).

13
Basic Unix Security Model

• User authenticated on logon
• User ID associated with process
• Default Group ID associated with process
• Default Process listed in passwd file
• Groups defined in /etc/groups
• Set of users listed with each group definition
• User can be member of multiple groups

14
Users and permissions

• Three types of users
• Root super users
• Privileged users
• Another users
• We assign access permissions to such files and
  directories
• ACL

15
Unix Access Control

• Three permission octets associated with each file
  and directory
• Owner, group, and other
• Read, write, execute
• For each file/directory
• Can specify RWX permissions for one owner, one
  group, and one other

16
Other Bits

• Set UID and Set GUID bits
• When set, the process created by executing file
  takes on user ID or group ID associated with file
• Secure shell (SSH)
• Accessing remotely securely.
• Sticky bit
• On directories, prevents anyone but owner of file
  removing file in directory
• Sys daemon (log files access)

17
Under UNIX directories are special (OS writable
only) files. The directory file is an unsorted
linked list of filenames to file-inode
(attributes and location of file on hard disk)
Directory size will always increase to be large
enough to hold all the file entries. If the
number of files latter shrinks the directory size
WILL NOT!
Directories

• ls -l foo
• -rw-rw---- 1 hollingd grads 13 Jan 10 2305 foo

size
permissions
name
owner
group
time
18
Files

• Regular Files
• binary
• GIF, JPEG, Executable etc.
• text
• scripts, program source code, documentation

19
Files (cont.)

• Directory
• Can contain ANY kind of files
• . (Dot) The special name for the current
  directory.
• .. (Dot) (Dot) The special name for the directory
  above the current directory.
• Device File
• Allows programs to communicate with hardware.
• Kernel modules handle device management.

20
File Time Attributes

• Time Attributes
• when the file was last changed ls -l
• when the file was created ls -lc
• when the file was last read (accessed) ls -ul
• actually its the time the file status in the
  directory last changed (e.g. file renamed).

21
File permissions
File type - plain file d directory c
character device (tty, printer) b block device
(disk, CD-ROM) l symbolic link s socket , p
FIFO
Access granted to others
-rwxr--r--
Access granted to group member
Access granted to owner r read / w write / x
execute
22
File Protection

• Given the following output from ls l
• -rwxr-xr-x jason research ... test.exe
• ----rwxr- jason research ... example.exe
• jason has full access to test.exe
• jason has no access to example.exe even if he
  belongs to the research group
• Any member of the research group (except jason)
  has full access to example.exe

23
Unix Accounts

• To access a Unix system you need to have an
  account.
• Unix account includes
• username and password
• userid and groupid
• home directory
• shell

24
Users accounts

• 1-User name
• a username is (typically) a sequence of
  alphanumeric characters of length no more than 8.
• 2-Password
• is a secret string that only the user knows,
  not less that 8 characters.
• but userID is a number of 16 bit integer that
  identifies a user account, and the user dont
  know this number but it used to secure the shell.
  

25
Users and Ownership /etc/passwd

• Every File is owned by one of the systems users
  identity is represented by the user-id (UID)
• Password file assoicate UID with system users.
• gatesx6520B. Gates/home/gates/bin/ksh

26
SUID/SGID/sticky bits

• SUID (set uid)
• Processes are granted access to system resources
  based on user who owns the file.
• SGID (set gid)
• (For file) Same with SUID except group is
  affected.
• (For directory) Files created in that directory
  will have their group set to the directory's
  group.
• sticky bit
• If set on a directory, then a user may only
  delete files that he owns or for which he has
  explicit write permission granted, even when he
  has write access to the directory. (e.g. /tmp )

27
Advanced Access Control Lists
The permissions defined by ACLs are a superset of
the permissions specified by the file permission
bits. The permissions defined for the file owner
correspond to the permissions of the ACL_USER_OBJ
entry. The permissions defined for the file
group correspond to the permissions of the
ACL_GROUP_OBJ entry, if the ACL has no ACL_MASK
entry. If the ACL has an ACL_MASK entry, then the
permissions defined for the file group correspond
to the permissions of the ACL_MASK entry. The
permissions defined for the other class
correspond to the permissions of the
ACL_OTHER_OBJ entry. Modification of the file
permission bits results in the modification of
the permissions in the associated ACL entries.
Modification of the permissions in the ACL
entries results in the modification of the file
permission bits. Example userrw-
userlisarw- groupr--
grouptooliesrw-
maskr-- otherr--
28
Log files

• Log files are normally kept in /var/log
• Read them
• Syslog logs the system and what is happening on
  it
• Logcheck is a handy utility which checks the
  contents of logs and mails anything unusual
• http//www.psionic.com/abacus/logcheck/

29
Advanced TCP/IP Firewalls
30

• UNIX and Forensics

31
Privacy Through Media Mutilation
or
or
or
forensically-secure file deletion software (but
make sure it works!)
degausser

• Basic enabler Data is very hard to kill

32

• Digital evidences are every were in the intended
  area of work.
• Its in side out side the used space, or impeded
  into other strings.
• Or even on the cell phones
• Temp files, print spools, Zipped files, windows
  registry.

33

• But the anti-forensics can play an negative role
  in the investigation process.

34
Hiding Data in Slack Space w/ bmap File carving
wont help!
pa
ssword is frid
To Whom It May C oncern Best, Fred
ay
include include void
zapQ(void)
bmap tools for creating a simple filesystem in
slack space
35
1

• Lsof
• version 4.63
• Vic Abell
• ftp//vic.cc.purdue.edu/pub/tools/unix/lsof

36
FUNCTIONS

• List open files
• regular files
• directories
• device files
• executing text file
• library (for dynamic load libraries)
• network file (socket, NFS file)
• stream

37
What Has a Process Opened?

• lsof -p 78957
• COMMAND PID USER FD TYPE DEVICE
  SIZE/OFF NODE NAME
• dc 78957 bishop cwd VDIR 3,131077
  2560 8482 /usr/home/bishop
• dc 78957 bishop rtd VDIR 3,131072
  512 2 /
• dc 78957 bishop txt VREG 3,131077
  27452 7953 /usr/bin/dc
• dc 78957 bishop txt VREG 3,131077
  71976 992435 /usr/libexec/ld-elf.so.1
• dc 78957 bishop txt VREG 3,131077
  116092 286210 /usr/lib/libm.so.2
• dc 78957 bishop txt VREG 3,131077
  531444 287065 /usr/lib/libc.so.4
• dc 78957 bishop 0u VCHR 5,2
  0t735 8176 /dev/ttyp2
• dc 78957 bishop 1u VCHR 5,2
  0t735 8176 /dev/ttyp2
• dc 78957 bishop 2u VCHR 5,2
  0t735 8176 /dev/ttyp2

You can also use c cmdbegin
38
What Has a User Opened?

• lsof M -u daemon
• COMMAND PID USER FD TYPE DEVICE
  SIZE/OFF NODE NAME
• portmap 84 daemon cwd VDIR 3,131072
  512 2 /
• portmap 84 daemon rtd VDIR 3,131072
  512 2 /
• portmap 84 daemon txt VREG 3,131077
  11088 64023 /usr/sbin/portmap
• portmap 84 daemon txt VREG 3,131077
  71976 992435 /usr/libexec/ld-elf.so.1
• portmap 84 daemon txt VREG 3,131077
  24776 287069 /usr/lib/libwrap.so.3
• portmap 84 daemon txt VREG 3,131077
  531444 287065 /usr/lib/libc.so.4
• portmap 84 daemon 0u VCHR 2,2
  0t0 7828 /dev/null
• portmap 84 daemon 1u VCHR 2,2
  0t0 7828 /dev/null
• portmap 84 daemon 2u VCHR 2,2
  0t0 7828 /dev/null
• portmap 84 daemon 3u IPv4 0xc7c6dc00
  0t0 UDP sunrpcportmapper
• portmap 84 daemon 4u IPv4 0xc7c9ed80
  0t0 TCP sunrpcportmapper (LISTEN)

portmapper registration name/number (M gives
this)
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
2

• NMAP
• Version 3.00
• by fyodor_at_dhp.com
• http//www.insecure.org/nmap/

46
TO

• To scan hosts looking for open ports
• TCP connect
• TYP SYN (a.k.a. half-open)
• TCP FIN (a.k.a. stealth)
• TCP SYN/FIN using IP fragments
• TCP ftp proxy (a.k.a. bounce attack)
• UCP raw ICMP port unreachable
• RPC scan
• ACK/WIN scan
• Ping scan

47
2

• Sleuthkit
• Linux toolkit for forensics written by Brian
  Carrier
• http//www.sleuthkit.org/
• Command line tools for forensic analysis under
  UNIX
• Graphical interface Autopsy Forensic Browser

48

• Timestamps are often crucial in forensics
  analysis
• Determining who was using a system
• Determining if a system has been compromised
• Determining when files were downloaded, modified,
  organized
• Establish whether a person could have actually
  committed a computer crime
• Establish validity of alibis
• Sleuthkit MAC tools light up the filesystem
• Idea
• Create a timeline that begins with the date of
  creation for the first file of interest
• traces all subsequent file access, modification
  and creation dates
• Good news Deleting a file counts as a
  modification and often the deletion dates of
  files can be retrieved

49
(No Transcript)
50
(No Transcript)
51
Popular Commercial Unix versions

• Solaris (Sun Microsystems)
• MacOS X (Apple Computer)
• AIX (IBM)

52
Windows vs. Unix

• Many beginner users find Windows easer to use
  than other operating systems
• Linux has been primary used by advanced computer
  users programmers and developers
• One fundamental difference between the two
  systems is the fact that Linux is "open source".

53

• Linux requires 386 architecture to run. Thus, it
  is compatible with any improved architecture such
  as 486, Pentium, Pentium Pro, etc
• There are drivers available for much many types
  of hardware devices
• Linux program installation seems to be easier
  since it only requires a restart when hardware
  device has been changed

54
Security

• UNIX seems to be more prepared for protecting
  itself because of the beginning developments of
  Linux, UNIX, and FreeBSD which were aimed at top
  notch security
• UNIX allows does not create registry keys in a
  way Windows does allowing a user to browse
  installed components registry keys, which contain
  important information
• UNIX is more virus proof since viruses
  malicious programs either cannot be run
  automatically on the Linux machine, or simply are
  not capable of being executed on a 386
  architecture
• Windows is often known for a large amount of loop
  holes

55
References

• http//www.faqs.org/rfcs/rfc2350.html,
• http//www.securityfocus.com/infocus/1769
• http//sleuthkit.sourceforge.net/informer/sleuthki
  t-informer-11.html
• http//www.cs.uno.edu/golden/teach.html
• CERT (Computer Emergency Response Team)
• http//www.cert.org/
• SysAdmin, Audit, Network, Security (SANS)
  Institute
• http//www.sans.org/
• Security Tracker
• http//www.securitytracker.com/