From owner-freebsd-security Tue Jan 18 16: 1:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0C5F214E8A for ; Tue, 18 Jan 2000 16:01:18 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id SAA05966; Tue, 18 Jan 2000 18:59:35 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 18 Jan 2000 18:59:35 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Cy Schubert - ITSD Open Systems Group Cc: Omachonu Ogali , Adam , Will Andrews , freebsd-security@FreeBSD.ORG Subject: Re: Parent Logging Patch for sh(1) In-Reply-To: <200001181605.IAA48520@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 18 Jan 2000, Cy Schubert - ITSD Open Systems Group wrote: > Though I haven't had a chance to think about alternative solutions, > I think we need to step back and look at the bigger picture. > > If I may offer a half-baked idea: Why not a kernel module that > implements the access list at execve(2) for any shell or binary. > The reason for a kernel module is that not everyone would want the > latency that this would cause nor the extra kernel memory. It could > also be a kernel option for static link into the kernel. Unfortunately, given the nature of the exploit and the architecture, this is more of a "security by obscurity" kind of measure than actually preventing the writing of effective attacks--it's a little like preventing the execution of /bin/sh, as you point out you just switch to /bin/sh. The reason for this is that the premise of a buffer overflow attack is that the attacker is allowed to introduce new executable code into the system--the easiest way to exploit that capability is to take advantage of a large existing library of tty-based file management routines, AKA the shell. However, the attacker can still introduce other code directly--for example, rather than invoking exec on /bin/sh, they could just invoke unlink on the password files in /etc, or stomp some new data in to set a password in a standard configuration. That said, you'd disable a bunch of current-generation exploit scripts for a while, which might have some advantages, but still leaves you vulnerable to the next generation. :-) Deterrence, despite theoretical limitations, has often proven useful in the past... > Another idea might be that Robert Watson's logging and ACL's could > be extended to implement this. Robert, care to comment? Using auditing to detect unfortunate events is a good idea, but auditing is still a ways from ready. I need to check out a recent version of Nate's code and see how it's going in SRI-land :-). > 1a. Related to #1 above, all a cracker needs to do is transfer his own > shell to the victim system thereby circumventing all of #1. In this > case a non-executable stack and jail(2) are your friends. > > A non-executable stack for FreeBSD was discussed here in the past. > I'm not sure whether anyone is implementing this or not under > FreeBSD. As you suggest, the real solutions are: 1) Prevent bugs from occuring in the first place, by using well thought out libraries that discourage sloppy coding practices (i.e., DO NOT USE the C-style nul-terminated string routines, rather use some bounded-buffer dynamically allocated string management library) 2) Limit the effects of remote execution compromise through fine-grained process access control--if popd needs to read a user's mail file and access a socket, make it so that that is *all* it can do. This is hard in our current environment, but a combination of jail() and fine-grained capabilities and resource access control (in the wings, to be commited post-4.0), this is a lot easier. > 2. The patch relies on a /proc filesystem. The proc filesystem has had > security issues in the past, a reason why some don't use it. At the > very least the patch should be #ifdef'd or should check for the > existence of proc being mounted before proceeding. There are some general purpose security solutions that generalize jail, such as integrity- or privacy-based mandatory access control. Jail is really a subset of the two of these: jail protects integrity by preventing processes in the jail from influencing system operation and other processes in a different jail or not in jail, and it protects privacy by limiting access to files and processes not in the jail. Using Biba intregrity protection or multi-level, multi-category privacy protection would provide a more general solution to this problem, but is harder to implement :-). Work is also in the wings, albeit in a longer time scale, to introduce mandatory access control into FreeBSD. This may not end up being committed, but at the very least we'll try our best to make it easy to plug in. Introducing ACLs in /proc might be a good way to add some initial (and cheap) protection. I.e., set a default ACL on /proc, and have children inherit the ACL. Due to the way POSIX.1e ACLs work as a superset of the file/directory "ownership" scheme, you could specify policies such as "owner and group can read", "only owner can read" for both directories and files. I've been considering this for a while, but am currently working to de-bde the next round of ACL commits :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message