Title: UNIX SECURITY and COMPUTER FORINSICS PRESENTED TO DR.LOAI AL TAWALBEH New York Institute of Technolo
1UNIX SECURITY andCOMPUTER FORINSICS PRESENTED
TO DR.LOAI AL TAWALBEH New York Institute of
Technology- Ammans campus-2007
2An operating system
- The OS is a program that acts as an intermediary
between the user (application programs) and the
hardware resources - OS interacts with hardware and manages programs.
- Programs not expected to know which hardware they
will run on. Thus they cant manage their self - OS provides a safe environment for programs to
run.
3What is an Operating System?
4Unix architecture kernel
- Program always resides in memory.
- Has direct access to the hardware.
- Manages processes, memory, and performs all
housekeeping. - Only one copy shared by all users.
5Shell
- A program or command invoked only when the user
logs in. so its called function from the kernel
by command or graphical interface. - At least one shell is invoked by every user, so a
system may have several different shells running
simultaneously. - Interface between the user and the kernel.
6UNIX Architecture
User
Shell which executes the binary -cp, mv, grep,
tar, who, ps
Kernel
Hardware
7Interacting with the Shell
- The shell prints a prompt and waits for you to
type in a command. - The shell can deal with a couple of types of
commands - shell internals - commands that the shell handles
directly. - External programs - the shell runs a program for
you.
8Types of commands
- External program on disk which could be
- a binary executable (written in C, C).
- a script file (like a shell or perl script).
- Internal command of the shell which could be
- a builtin (like cd, pwd, etc.)
- an alias defined by the user that invokes the
disk or internal version in a specific manner.
9- Why security?
- Availability
- Confidentiality
- Integrity (system files)
10- We need to identify the capabilities that UNIX
OS handled to perform the levels of security at
the low and high level of operating system. - files and directories and the permission are the
main compoundant for such a system
11Ordinary step in any secure OS
- PROPLEM
- Secure the OS from un wanted users
- And to secure the internal processes from each
other - SOLUTION
- Define specific domain that each user/process can
access
12Domain implementation
- Two domain groups
- User
- Superuser (can do everything, UID0)
- User domain group
- Domain user-id (UID)
- Domain switch accomplished via file system.
- Each file has associated with it a domain bit
(setuid bit SUID bit). - When file is executed and setuid on, then
effective user-id is set to owner of the file
being executed. When execution completes user-id
is reset (exit() for child process ).
13Basic Unix Security Model
- User authenticated on logon
- User ID associated with process
- Default Group ID associated with process
- Default Process listed in passwd file
- Groups defined in /etc/groups
- Set of users listed with each group definition
- User can be member of multiple groups
14Users and permissions
- Three types of users
- Root super users
- Privileged users
- Another users
- We assign access permissions to such files and
directories - ACL
15Unix Access Control
- Three permission octets associated with each file
and directory - Owner, group, and other
- Read, write, execute
- For each file/directory
- Can specify RWX permissions for one owner, one
group, and one other
16Other Bits
- Set UID and Set GUID bits
- When set, the process created by executing file
takes on user ID or group ID associated with file - Secure shell (SSH)
- Accessing remotely securely.
- Sticky bit
- On directories, prevents anyone but owner of file
removing file in directory - Sys daemon (log files access)
17Under UNIX directories are special (OS writable
only) files. The directory file is an unsorted
linked list of filenames to file-inode
(attributes and location of file on hard disk)
Directory size will always increase to be large
enough to hold all the file entries. If the
number of files latter shrinks the directory size
WILL NOT!
Directories
- ls -l foo
- -rw-rw---- 1 hollingd grads 13 Jan 10 2305 foo
size
permissions
name
owner
group
time
18Files
- Regular Files
- binary
- GIF, JPEG, Executable etc.
- text
- scripts, program source code, documentation
19Files (cont.)
- Directory
- Can contain ANY kind of files
- . (Dot) The special name for the current
directory. - .. (Dot) (Dot) The special name for the directory
above the current directory. - Device File
- Allows programs to communicate with hardware.
- Kernel modules handle device management.
20File Time Attributes
- Time Attributes
- when the file was last changed ls -l
- when the file was created ls -lc
- when the file was last read (accessed) ls -ul
- actually its the time the file status in the
directory last changed (e.g. file renamed).
21File permissions
File type - plain file d directory c
character device (tty, printer) b block device
(disk, CD-ROM) l symbolic link s socket , p
FIFO
Access granted to others
-rwxr--r--
Access granted to group member
Access granted to owner r read / w write / x
execute
22File Protection
- Given the following output from ls l
- -rwxr-xr-x jason research ... test.exe
- ----rwxr- jason research ... example.exe
- jason has full access to test.exe
- jason has no access to example.exe even if he
belongs to the research group - Any member of the research group (except jason)
has full access to example.exe
23Unix Accounts
- To access a Unix system you need to have an
account. - Unix account includes
- username and password
- userid and groupid
- home directory
- shell
24Users accounts
- 1-User name
- a username is (typically) a sequence of
alphanumeric characters of length no more than 8. - 2-Password
- is a secret string that only the user knows,
not less that 8 characters. - but userID is a number of 16 bit integer that
identifies a user account, and the user dont
know this number but it used to secure the shell.
-
25Users and Ownership /etc/passwd
- Every File is owned by one of the systems users
identity is represented by the user-id (UID) - Password file assoicate UID with system users.
- gatesx6520B. Gates/home/gates/bin/ksh
26SUID/SGID/sticky bits
- SUID (set uid)
- Processes are granted access to system resources
based on user who owns the file. - SGID (set gid)
- (For file) Same with SUID except group is
affected. - (For directory) Files created in that directory
will have their group set to the directory's
group. - sticky bit
- If set on a directory, then a user may only
delete files that he owns or for which he has
explicit write permission granted, even when he
has write access to the directory. (e.g. /tmp )
27Advanced Access Control Lists
The permissions defined by ACLs are a superset of
the permissions specified by the file permission
bits. The permissions defined for the file owner
correspond to the permissions of the ACL_USER_OBJ
entry. The permissions defined for the file
group correspond to the permissions of the
ACL_GROUP_OBJ entry, if the ACL has no ACL_MASK
entry. If the ACL has an ACL_MASK entry, then the
permissions defined for the file group correspond
to the permissions of the ACL_MASK entry. The
permissions defined for the other class
correspond to the permissions of the
ACL_OTHER_OBJ entry. Modification of the file
permission bits results in the modification of
the permissions in the associated ACL entries.
Modification of the permissions in the ACL
entries results in the modification of the file
permission bits. Example userrw-
userlisarw- groupr--
grouptooliesrw-
maskr-- otherr--
28Log files
- Log files are normally kept in /var/log
- Read them
- Syslog logs the system and what is happening on
it - Logcheck is a handy utility which checks the
contents of logs and mails anything unusual - http//www.psionic.com/abacus/logcheck/
29Advanced TCP/IP Firewalls
30 31Privacy Through Media Mutilation
or
or
or
forensically-secure file deletion software (but
make sure it works!)
degausser
- Basic enabler Data is very hard to kill
32- Digital evidences are every were in the intended
area of work. - Its in side out side the used space, or impeded
into other strings. - Or even on the cell phones
- Temp files, print spools, Zipped files, windows
registry.
33- But the anti-forensics can play an negative role
in the investigation process.
34Hiding Data in Slack Space w/ bmap File carving
wont help!
pa
ssword is frid
To Whom It May C oncern Best, Fred
ay
include include void
zapQ(void)
bmap tools for creating a simple filesystem in
slack space
351
- Lsof
- version 4.63
- Vic Abell
- ftp//vic.cc.purdue.edu/pub/tools/unix/lsof
36FUNCTIONS
- List open files
- regular files
- directories
- device files
- executing text file
- library (for dynamic load libraries)
- network file (socket, NFS file)
- stream
37What Has a Process Opened?
- lsof -p 78957
- COMMAND PID USER FD TYPE DEVICE
SIZE/OFF NODE NAME - dc 78957 bishop cwd VDIR 3,131077
2560 8482 /usr/home/bishop - dc 78957 bishop rtd VDIR 3,131072
512 2 / - dc 78957 bishop txt VREG 3,131077
27452 7953 /usr/bin/dc - dc 78957 bishop txt VREG 3,131077
71976 992435 /usr/libexec/ld-elf.so.1 - dc 78957 bishop txt VREG 3,131077
116092 286210 /usr/lib/libm.so.2 - dc 78957 bishop txt VREG 3,131077
531444 287065 /usr/lib/libc.so.4 - dc 78957 bishop 0u VCHR 5,2
0t735 8176 /dev/ttyp2 - dc 78957 bishop 1u VCHR 5,2
0t735 8176 /dev/ttyp2 - dc 78957 bishop 2u VCHR 5,2
0t735 8176 /dev/ttyp2
You can also use c cmdbegin
38What Has a User Opened?
- lsof M -u daemon
- COMMAND PID USER FD TYPE DEVICE
SIZE/OFF NODE NAME - portmap 84 daemon cwd VDIR 3,131072
512 2 / - portmap 84 daemon rtd VDIR 3,131072
512 2 / - portmap 84 daemon txt VREG 3,131077
11088 64023 /usr/sbin/portmap - portmap 84 daemon txt VREG 3,131077
71976 992435 /usr/libexec/ld-elf.so.1 - portmap 84 daemon txt VREG 3,131077
24776 287069 /usr/lib/libwrap.so.3 - portmap 84 daemon txt VREG 3,131077
531444 287065 /usr/lib/libc.so.4 - portmap 84 daemon 0u VCHR 2,2
0t0 7828 /dev/null - portmap 84 daemon 1u VCHR 2,2
0t0 7828 /dev/null - portmap 84 daemon 2u VCHR 2,2
0t0 7828 /dev/null - portmap 84 daemon 3u IPv4 0xc7c6dc00
0t0 UDP sunrpcportmapper - portmap 84 daemon 4u IPv4 0xc7c9ed80
0t0 TCP sunrpcportmapper (LISTEN)
portmapper registration name/number (M gives
this)
39(No Transcript)
40(No Transcript)
41(No Transcript)
42(No Transcript)
43(No Transcript)
44(No Transcript)
452
- NMAP
- Version 3.00
- by fyodor_at_dhp.com
- http//www.insecure.org/nmap/
46TO
- To scan hosts looking for open ports
- TCP connect
- TYP SYN (a.k.a. half-open)
- TCP FIN (a.k.a. stealth)
- TCP SYN/FIN using IP fragments
- TCP ftp proxy (a.k.a. bounce attack)
- UCP raw ICMP port unreachable
- RPC scan
- ACK/WIN scan
- Ping scan
472
- Sleuthkit
- Linux toolkit for forensics written by Brian
Carrier - http//www.sleuthkit.org/
- Command line tools for forensic analysis under
UNIX - Graphical interface Autopsy Forensic Browser
48- Timestamps are often crucial in forensics
analysis - Determining who was using a system
- Determining if a system has been compromised
- Determining when files were downloaded, modified,
organized - Establish whether a person could have actually
committed a computer crime - Establish validity of alibis
- Sleuthkit MAC tools light up the filesystem
- Idea
- Create a timeline that begins with the date of
creation for the first file of interest - traces all subsequent file access, modification
and creation dates - Good news Deleting a file counts as a
modification and often the deletion dates of
files can be retrieved
49(No Transcript)
50(No Transcript)
51Popular Commercial Unix versions
- Solaris (Sun Microsystems)
- MacOS X (Apple Computer)
- AIX (IBM)
52Windows vs. Unix
- Many beginner users find Windows easer to use
than other operating systems - Linux has been primary used by advanced computer
users programmers and developers - One fundamental difference between the two
systems is the fact that Linux is "open source".
53- Linux requires 386 architecture to run. Thus, it
is compatible with any improved architecture such
as 486, Pentium, Pentium Pro, etc - There are drivers available for much many types
of hardware devices - Linux program installation seems to be easier
since it only requires a restart when hardware
device has been changed
54Security
- UNIX seems to be more prepared for protecting
itself because of the beginning developments of
Linux, UNIX, and FreeBSD which were aimed at top
notch security - UNIX allows does not create registry keys in a
way Windows does allowing a user to browse
installed components registry keys, which contain
important information - UNIX is more virus proof since viruses
malicious programs either cannot be run
automatically on the Linux machine, or simply are
not capable of being executed on a 386
architecture - Windows is often known for a large amount of loop
holes
55References
- http//www.faqs.org/rfcs/rfc2350.html,
- http//www.securityfocus.com/infocus/1769
- http//sleuthkit.sourceforge.net/informer/sleuthki
t-informer-11.html - http//www.cs.uno.edu/golden/teach.html
- CERT (Computer Emergency Response Team)
- http//www.cert.org/
- SysAdmin, Audit, Network, Security (SANS)
Institute - http//www.sans.org/
- Security Tracker
- http//www.securitytracker.com/