Processes, vulnerabilities, and authentication
UNIX process hierarchy
pstree -p | less -S
pstree -pu jedi
lsof -p 31009
Hardware
Kernel
Process 1 Process 2 Process 3
System calls
Interprocess Communication
● Sockets
– Datagram or stream
● Pipes
– Named or unnamed
● Other ways for processes to communicate
– Command line arguments, shared memory, file I/O,
etc.
What is a vulnerability?
● Management information stored in-band with
regular information?
● Programming the weird machine?
● A failure to properly sanitize inputs?
Can be local or remote, sometimes
something else
● Send malicious input over a network socket to
take control of a remote machine
● Give malicious input to a privileged local
process to get escalated privileges for yourself
● Confuse the logic of an accounting mechanism
● Break the separation between web sites in a
browser to get access to someone’s bank
credentials
Plagiarized from
https://sites.psu.edu/thedeepweb/2015/09/1
7/captain-crunch-and-his-toy-whistle/
Other examples of logic bugs or
more general vulnerabilities?
● Werewolves had a couple
● Amazon shopping cart (there was an IEEE
Symposium on Security and Privacy paper
about this, but I can’t find it)
● Pouring salt water or putting tabs from
construction sites in Coke machines
● Getting a code out of a locked locker
● Other examples you guys know of?
SQL command injection
SELECT * where username = ‘$u’ and password = ‘$p’
$u = crandall
$p = abc123
SELECT * where username = ‘crandall’ and password =
‘abc123’
SQL command injection
SELECT * where username = ‘$u’ and password = ‘$p’
$u = bla’ or ‘1’ = ‘1’ —
$p = idontknow
SELECT * where username = ‘bla’ or ‘1’ = ‘1’ –‘ and
password = ‘idontknow’
SQL command injection
SELECT * where username = ‘$u’ and password = ‘$p’
$u = bla’ or ‘1’ = ‘1’ —
$p = idontknow
SELECT * where username = ‘bla’ or ‘1’ = ‘1’ –‘ and
password = ‘idontknow’
Wassermann and Su, POPL 2006
Cross-site Scripting (XSS)
Send a message in the WebCT platform:
Hi Professor Crandall, I had a question about the
homework. When is it due? p.s.
Werewolves command injection
system(“echo $s > /path/to/pipe“)
$s = hi; chmod 777 ~/server.py
echo hi; chmod 777 ~/server.py >
/path/to/pipe
Buffer overflows
https://en.wikipedia.org/wiki/Stack_buffer_overflow
Format string vulnerabilities
scanf(“%s”, string)
printf(string)
%500x%500x%12x\xbf\xff\xff\x2c%n
Memory corruption
● Buffer overflows on the stack and heap, format
strings, double free()’s, etc.
● Easily the most well-studied vulnerability/exploit
type
● Goal is often to execute code in memory
● See Shacham’s ACM CCS 2007 paper for Return
Oriented Programming
– Even with just existing code in memory, you can build a
Turing-complete machine
https://hstar.me/2019/06/first-rop/
Race conditions
● Often called Time-of-Check-to-Time-of-Use
(TOCTTOU)
if (!access(“/home/jedi/s”, W_OK))
{
F = open(“/home/jedi/s”, O_WRITE);
… /* Write to the file */
}
else
{
perror(“You don’t have permission to write to that file!”)
}
Werewolves race condition
touch moderatoronlylogfile.txt
chmod og-rw moderatoronlylogfile.txt
Authentication in general
● Bishop: “Authentication is the binding of an
identity to a principal. Network-based
authentication mechanisms require a principal
to authenticate to a single system, either local
or remote. The authentication is then
propagated.”
Authentication in general
(continued)
● Bishop: “Authentication consists of an entity, the
user, trying to convince a different entity, the
verifier, of the user’s identity. The user does so
by claiming to know some information, to
possess something, to have some particular set
of physical characteristics, or to be in a specific
location.”
● Informally: something you know, something you
have, something you are
2FA = 2-Factor Authentication
● Two of these:
– Something you know
– Something you have
– Something you are
● E.g., bank card plus PIN
● For Internet services, typically the first two
● Helps protect against phishing, for example
Basic Linux authentication
● Ties you (the identity) to your user ID (the
principal), which is in turn tied to subjects (e.g.,
processes) and objects (e.g., files)
● Based on hashing
– Also salting
– Also shadowed password hashes
SHA-512
password
/etc/passwd
/etc/shadow
Salt
Compare
hash
hash
username
Match? Yes or no.
Passwords
● Should be high entropy, algorithmic complexity
● Should be easy to remember
These requirements are in
conflict with each other!
Password managers help.
Plagiarized from https://i.imgsafe.org/2bf87cbfe2.png
Time-memory tradeoff
● Rainbow tables can store lots of hash results
compactly (precomputation)
● Just check if a user’s hash might be in a hash
chain, only recalculate it if so
● As a fall-back, just try every possible password
(brute force)
Salting helps against
precomputation.
Good passwords, system-imposed
delays, shadowing help against
brute force.
Shadowing the password file
Phishing
Image plagiarized from https://citizenlab.org/wp-
content/uploads/2017/02/Ponytail-Figure-1.png
Phishing
● Wide range of sophistication in terms of the
social engineering aspect
– One end of the spectrum: “Plez logg in and changer
you password, maam!”
– Other end of the spectrum: “The attached PDF is
my notes from the meeting yesterday, it was nice to
see you again!” (from someone you saw at a
conference the day before)
2FA helps protect against phishing
(but state actors can easily spoof your
cell phone and get SMS messages)
File permissions
-rwxr-x—
● First is special designations (symlink, directory)
● Next triplet is user (u)
● Triplet after is group (g)
● Last triplet is others (o)
● r = read, w = write, x = execute
● Sometimes you’ll see other things, like s for Set
UID
Preview…
● Processes (subjects) act on files (objects)
● Processes are tied to principles (users)
● File permissions are checked when the file is
opened (and added to the file descriptor table of
the process), not with every access!
man …
● ls (ls -l is a useful flag), cd, pwd, chown, chgrp,
chmod, stat, id, w, who, last, kill, ps, pstree,
netstat, cat, less, sudo, watch, screen, fuser
Some more things to read up on
● FIFO pipes (can be unnamed or named)
● The /proc/ filesystem
● Character devices (e.g., PTY, PTS, TTY)
Resources
● http://www.cs.unm.edu/~crandall/linuxcommand
cheatsheet.txt
● Matt Bishop’s Computer Security: Art and
Practice, Chapter 12
● https://citizenlab.org/
http://www.cs.unm.edu/~crandall/linuxcommandcheatsheet.txt
http://www.cs.unm.edu/~crandall/linuxcommandcheatsheet.txt
https://citizenlab.org/
Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Slide 18
Slide 19
Slide 20
Slide 21
Slide 22
Slide 23
Slide 24
Slide 25
Slide 26
Slide 27
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Slide 34
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Slide 42
Slide 43
Slide 44