Computer System Security: Lecture 5 PDF
Document Details
Uploaded by EasedApostrophe9058
Princess Nourah Bint Abdulrahman University
Dr Tahani Aljohani
Tags
Summary
This document is a lecture on computer system security, focusing on threats like worms and the Morris Worm. It details the functioning of programs such as Nmap and the concepts of port scanning and denial of service attacks. The presentation draws references from Peterson and Silberschatz's Operating System Concepts, 1985.
Full Transcript
Computer System Security: Lecture 5 Dr Tahani Aljohani 1 Outlines Introduction to OS Security. What Are We Protecting? Security Goals and Policies. Threats Software threats. Trojan Horses. Buffer overflow attack. Viruses. Net...
Computer System Security: Lecture 5 Dr Tahani Aljohani 1 Outlines Introduction to OS Security. What Are We Protecting? Security Goals and Policies. Threats Software threats. Trojan Horses. Buffer overflow attack. Viruses. Network threats. 2 Worms A worm is a process that uses the spawn mechanism to duplicate itself. The worm spawns copies of itself, using up system resources and perhaps locking out all other processes. On computer networks, worms are particularly potent, since they may reproduce themselves among systems and thus shut down an entire network. 3 Morris Worm A first-year Cornell graduate student, unleashed a worm program on one or more hosts connected to the Internet. Targeting Sun Microsystems’ Sun 3 workstations and VAX computers running variants of Version 4 BSD UNIX, the worm quickly spread over great distances. Within a few hours of its release, it had consumed system resources to the point of bringing down the infected machines. 4 Host1 Host Host Host Host Host 5 Morris Worm Design Morris designed the self-replicating program for rapid reproduction and distribution. He used some features of the UNIX networking environment to propagate the worm throughout the system. He chose for initial infection an Internet host left open for and accessible to outside users. The worm program exploited flaws in the UNIX operating system’s security routines. It took advantage of UNIX utilities that simplify resource sharing in local-area networks to gain unauthorized access to thousands of other connected sites. 6 Morris Worm Implementation The worm was made up of two programs, a grappling hook program and the main program. The grappling hook consisted of 99 lines of C code compiled and run on each machine it accessed. Once established on the computer system under attack, the grappling hook connected to the machine where it originated and uploaded a copy of the main worm onto the hooked system. 7 8 Morris Worm Implementation The main program proceeded to search for other machines to which the newly infected system could connect easily. In these actions, Morris exploited the UNIX networking utility rsh, finger, and sendmail. 9 rsh Utility Function rsh for easy remote task execution. By setting up special files that list host–login name pairs, users can omit entering a password each time they access a remote account on the paired list. The worm searched these special files for site names that would allow remote execution without a password. Where remote shells were established, the worm program was uploaded and began executing anew. 10 Finger Utility Function The finger utility functions as an electronic telephone directory. The command finger user-name@hostname. returns a person’s real and login names along with other information such as office and home address. Finger runs as a background process (or daemon) at each BSD site and responds to queries throughout the Internet. 11 Finger Utility Function The worm executed a buffer-overflow attack on finger. The program queried finger with a 536-byte string crafted to exceed the buffer allocated for input and to overwrite the stack frame. Instead of returning to the main routine where it resided before Morris’s call, the finger daemon was routed to a procedure within the invading 536-byte string now residing on the stack. The new procedure executed /bin/sh, which, if successful, gave the worm a remote shell on the machine under attack. 12 Finger [email protected] Server Client Finger Finger Gets(Adam@ pnu.com ) Information Adam buffer 512 bytes 13 1 Finger 536 bytes Server Client Finger Finger 3 Gets(536 4 byte) Socket 2 512 bytes no operation 24 bytes – return address malicious code 14 Sendmail Utility Function Sendmail sends, receives, and routes electronic mail. Debugging code in the utility permits testers to verify and display the state of the mail system. Morris included in his attack arsenal a call to debug that issued a set of commands that mailed and executed a copy of the grappling-hook program. Once in place, the main worm systematically attempted to discover user passwords. 15 Sendmail Utility Function It began by trying simple cases of no password. Passwords constructed of account–user-name combinations. Then used comparisons with an internal dictionary of 432 favorite password choices. The final stage of trying each word in the standard UNIX on-line dictionary as a possible password 16 Sendmail Utility Function This elaborate and efficient three-stage password- cracking algorithm enabled the worm to gain access to other user accounts on the infected system. The worm then searched for rsh data files in these newly broken accounts and used them as described previously to gain access to user accounts on remote systems. 17 Port Scanning Port scanning is not an attack but rather a means for a cracker to detect a system’s vulnerabilities to attack. Port scanning typically is automated, involving a tool that attempts to create a TCP/IP connection to a specific port or a range of ports. For example, suppose there is a known vulnerability (or bug) in sendmail. A cracker could launch a port scanner to try to connect, say, to port 25 of a particular system or to a range of systems. 18 Port Scanning If the connection was successful, the cracker (or tool) could attempt to communicate with the answering service to determine if the service was indeed sendmail and, if so, if it was the version with the bug. Frequently, the bugs are buffer overflows, allowing the creation of a privileged command shell on the system. From there, of course, the cracker could install Trojan horses, back-door programs, and so on. 19 Port Scanning There are tools that perform subsets of that functionality (e.g. nmap). When pointed at a target, it will determine what services are running, including application names and versions. It can identify the host operating system. It can also provide information about defenses, such as what firewalls are defending the target. It does not exploit any known bugs. Because port scans are detectable, they frequently are launched from zombie systems. 20 Nmap Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Can be installed on any operating systems. Nmap: the Network Mapper - Free Security Scanner To install it on unbntue use: Sudo apt install nmap. 21 Nmap To find out if a number of hosts is there running on a network use. Nmap –sP 10.7.1.0/24 this command will check if a system is a live or not. 22 Nmap Check the open port Sudo nmap –sT –p 80,443 10.7.1.0/24. If the server hosts website, it should have these port open 80 and 443. 23 Nmap Sudo nmap –sT 10.7.1.226. This command scan 1000 ports to know the alive one. 24 Nmap Sudo nmap –O 10.7.1.226. This command return information about the device. 25 Nmap Sudo nmap –A 10.7.1.226. This command return information such as the operating system version, 26 Distributed Denial of Service Denial-of-service attacks are aimed not at gaining information or stealing resources but rather at disrupting legitimate use of a system or facility. Denial-of-service attacks are generally network based. They fall into two categories. Attacks in the first category use many facility resources that, in essence, no useful work can be done. For example, a website click could download a Java applet that proceeds to use all available CPU time or to pop up windows infinitely. 27 Denial of Service The second category involves disrupting the network of the facility. These attacks result from abuse of some of the fundamental functionality of TCP/IP. For instance, if the attacker sends the part of the protocol that says “I want to start a TCP connection,” but never follows with the standard “The connection is now complete,” the result can be partially started TCP sessions. If enough of these sessions are launched, they can eat up all the network resources of the system, disabling any further legitimate TCP connections. 28 Denial of Service If an authentication algorithm locks an account for a period of time after several incorrect attempts to access the account, then an attacker could cause all authentication to be blocked by purposely making incorrect attempts to access all accounts. Similarly, a firewall that automatically blocks certain kinds of traffic could be induced to block that traffic when it should not. 29 Operating System Architectural and Hardenings 30 Reference This presentation prepared from PETERSON, James L.; SILBERSCHATZ, Abraham. Operating system concepts. Addison-Wesley Longman Publishing Co., Inc., 1985. Chapter 15 31
