UNIX SECURITY andUNIX SECURITY andCOMPUTER FORINSICS COMPUTER FORINSICS

PRESENTED TO PRESENTED TO DR.LOA’I AL TAWALBEHDR.LOA’I AL TAWALBEH

New York Institute of Technology- Amman’s New York Institute of Technology- Amman’s campus-2007campus-2007

MOHAMMED HUSSAIN MOHAMMED HUSSAIN

An operating systemAn operating system

The OS is a program that acts as an The OS is a program that acts as an intermediary between the user intermediary between the user (application programs) and the (application programs) and the hardware resourceshardware resources

OS interacts with hardware and OS interacts with hardware and manages programs.manages programs.

Programs not expected to know which Programs not expected to know which hardware they will run on. Thus they hardware they will run on. Thus they can’t manage their self can’t manage their self

OS provides a safe environment for OS provides a safe environment for programs to run.programs to run.

What is an Operating What is an Operating SystemSystem??

Unix architecture Unix architecture kernelkernel

Program always resides in Program always resides in memory.memory.

Has direct access to the hardware.Has direct access to the hardware. Manages processes, memory, and Manages processes, memory, and

performs all housekeeping.performs all housekeeping. Only one copy shared by all users.Only one copy shared by all users.

Shell Shell

A program or command invoked only A program or command invoked only when the user logs in. so it’s called when the user logs in. so it’s called function from the kernel by command function from the kernel by command or graphical interface.or graphical interface.

At least one shell is invoked by every At least one shell is invoked by every user, so a system may have several user, so a system may have several different shells running simultaneously.different shells running simultaneously.

Interface between the user and the Interface between the user and the kernel.kernel.

UNIX ArchitectureUNIX ArchitectureUser

Shell which executes the binary: -cp, mv, grep, tar, who, ps

Kernel

Hardware

Interacting with the Interacting with the ShellShell The shell prints a prompt and waits The shell prints a prompt and waits

for you to type in a command.for you to type in a command. The shell can deal with a couple of The shell can deal with a couple of

types of commands:types of commands:– shell internals - commands that the shell internals - commands that the

shell handles directly.shell handles directly.– External programs - the shell runs a External programs - the shell runs a

program for you.program for you.

Types of commandsTypes of commands

External program on disk which could External program on disk which could be:be:– a binary executable (written in C, C++).a binary executable (written in C, C++).– a script file (like a shell or perl script).a script file (like a shell or perl script).

Internal command of the shell which Internal command of the shell which could becould be– a builtin (like cd, pwd, etc.)a builtin (like cd, pwd, etc.)– an alias defined by the user that invokes the an alias defined by the user that invokes the

disk or internal version in a specific manner.disk or internal version in a specific manner.

Why security?Why security?

– AvailabilityAvailability– ConfidentialityConfidentiality– Integrity (system files)Integrity (system files)

We need to identify the We need to identify the capabilities that UNIX OS handled capabilities that UNIX OS handled to perform the levels of security to perform the levels of security at the low and high level of at the low and high level of operating system.operating system.

files and directories and the files and directories and the permission are the main permission are the main compoundant for such a system compoundant for such a system

Ordinary step in any Ordinary step in any secure OSsecure OS PROPLEMPROPLEM

– Secure the OS from un wanted usersSecure the OS from un wanted users– And to secure the internal processes And to secure the internal processes

from each otherfrom each other SOLUTIONSOLUTION

– Define specific domain that each Define specific domain that each user/process can accessuser/process can access

Domain Domain implementationimplementation

TwoTwo domain domain groups groups– UserUser– SuperSuperuser (can do everything, UID=0)user (can do everything, UID=0)

User domain groupUser domain group – Domain = user-idDomain = user-id (UID) (UID)– Domain switch accomplished via file Domain switch accomplished via file

system. system. Each file has associated with it a domain bit Each file has associated with it a domain bit

(setuid bit(setuid bit = SUID bit = SUID bit).). When file is executed and setuid = on, then When file is executed and setuid = on, then

effective effective user-iduser-id is set to owner of the file being is set to owner of the file being executed. When execution completes user-id is executed. When execution completes user-id is resetreset ( (exit()exit() for child process ). for child process ).

Basic Unix Security Basic Unix Security ModelModel User authenticated on logonUser authenticated on logon

– User ID associated with processUser ID associated with process– Default Group ID associated with processDefault Group ID associated with process– Default Process listed in passwd fileDefault Process listed in passwd file

Groups defined in /etc/groupsGroups defined in /etc/groups– Set of users listed with each group Set of users listed with each group

definitiondefinition– User can be member of multiple groupsUser can be member of multiple groups

Users and permissions Users and permissions

Three types of users Three types of users – Root super users Root super users – Privileged users Privileged users – Another usersAnother users

We assign access permissions to We assign access permissions to such files and directoriessuch files and directories

ACL ACL

Unix Access ControlUnix Access Control

Three permission octets associated Three permission octets associated with each file and directorywith each file and directory– Owner, group, and other Owner, group, and other – Read, write, executeRead, write, execute

For each file/directoryFor each file/directory– Can specify RWX permissions for one Can specify RWX permissions for one

owner, one group, and one otherowner, one group, and one other

Other BitsOther Bits

Set UID and Set GUID bitsSet UID and Set GUID bits– When set, the process created by executing When set, the process created by executing

file takes on user ID or group ID associated file takes on user ID or group ID associated with filewith file

Secure shell (SSH)Secure shell (SSH)– Accessing remotely securely.Accessing remotely securely.

Sticky bitSticky bit– On directories, prevents anyone but owner On directories, prevents anyone but owner

of file removing file in directoryof file removing file in directory– Sys daemon (log files access)Sys daemon (log files access)

> ls -l foo> ls -l foo

-rw-rw---- 1 hollingd grads 13 Jan 10 23:05 foo-rw-rw---- 1 hollingd grads 13 Jan 10 23:05 foo

permissionsowner group

size

time

name

Under UNIX directories are special (OS Under UNIX directories are special (OS writable only) files. The directory file is an writable only) files. The directory file is an unsorted linked list of filenames to file-unsorted linked list of filenames to file-inode (attributes and location of file on hard inode (attributes and location of file on hard disk) Directory size will always increase to disk) Directory size will always increase to be large enough to hold all the file entries. be large enough to hold all the file entries. If the number of files latter shrinks the If the number of files latter shrinks the directory size WILL NOT!directory size WILL NOT!

Directories

FilesFiles

Regular FilesRegular Files– binarybinary

GIF, JPEG, Executable etc.GIF, JPEG, Executable etc.

– texttext scripts, program source code, scripts, program source code,

documentationdocumentation

Files (cont.)Files (cont.)

DirectoryDirectory– Can contain ANY kind of filesCan contain ANY kind of files

. . (Dot)(Dot) The special name for the The special name for the currentcurrent directory. directory.

.... (Dot) (Dot)(Dot) (Dot) The special name for the directory The special name for the directory above above the the currentcurrent directory. directory.

Device FileDevice File– Allows programs to communicate with Allows programs to communicate with

hardware. hardware. – Kernel modules handle device Kernel modules handle device

management.management.

File Time AttributesFile Time Attributes Time Attributes:Time Attributes:

– when the file was last changedwhen the file was last changed ls -lls -l– when the file was created*when the file was created* ls -ls -lclc

– when the file was last readwhen the file was last read (accessed)(accessed)ls -ulls -ul

**actually it’s the time the file status actually it’s the time the file status in the directory in the directory last last changedchanged (e.g. file renamed) (e.g. file renamed)..

-rwxr--r--

File permissionFile permissionss

File type- : plain filed : directoryc : character device (tty, printer)b : block device (disk, CD-ROM)l : symbolic links : socket=, p : FIFO

Access granted to ownerr : read / w : write / x : execute

Access granted togroup member

Access granted toothers

File ProtectionFile Protection

Given the following output from Given the following output from ls –lls –l

-rwxr-xr-x jason research ... -rwxr-xr-x jason research ... test.exetest.exe

----rwxr–- jason research ... ----rwxr–- jason research ... example.exeexample.exe

jasonjason has full access to has full access to test.exetest.exe jasonjason has no access to has no access to example.exeexample.exe even if even if

he belongs to the he belongs to the researchresearch group group Any member of the Any member of the researchresearch group (except group (except jasonjason) has full access to ) has full access to example.exeexample.exe

Unix AccountsUnix Accounts

To access a Unix system you To access a Unix system you need to have an need to have an accountaccount..

Unix account includes:Unix account includes:– username and passwordusername and password– userid and groupiduserid and groupid– home directoryhome directory– shell shell

Users accountsUsers accounts

1-User name:1-User name: a username is (typically) a sequence of a username is (typically) a sequence of

alphanumeric characters of length no more alphanumeric characters of length no more than 8.than 8.

2-Password:2-Password: is a secret string that only the user knows, is a secret string that only the user knows,

not less that 8 characters.not less that 8 characters. but userID: is a number of 16 bit integer but userID: is a number of 16 bit integer

that identifies a user account, and the user that identifies a user account, and the user don’t know this number but it used to don’t know this number but it used to secure the shell. secure the shell.

Users and Ownership: /etc/passwdUsers and Ownership: /etc/passwd

Every File is owned by one of the system’s users – Every File is owned by one of the system’s users – identity is represented by the user-id (UID)identity is represented by the user-id (UID)

Password file assoicate UID with system users.Password file assoicate UID with system users.gates:x:65:20:B. Gates:/home/gates:/bin/kshgates:x:65:20:B. Gates:/home/gates:/bin/ksh

login name[encrypted password]

user IDgroup ID

“real” name

command interpreterhome directory

SUID/SGID/sticky bitsSUID/SGID/sticky bits

SUID (set uid)SUID (set uid)– Processes are granted access to system resources Processes are granted access to system resources

based on user who based on user who ownsowns the file. the file. SGID (set gid)SGID (set gid)

– (For file) Same with SUID except group is affected.(For file) Same with SUID except group is affected.– (For directory) Files created in that directory will have (For directory) Files created in that directory will have

their group set to the directory's group.their group set to the directory's group. sticky bitsticky bit

– If set on a directory, then a user may only delete files If set on a directory, then a user may only delete files that he owns or for which he has explicit write that he owns or for which he has explicit write permission granted, even when he has write access to permission granted, even when he has write access to the directory. (e.g. /tmp )the directory. (e.g. /tmp )

Advanced: Access Advanced: Access Control ListsControl Lists

The permissions defined by ACLs are a superset of the permissions specified by the file permission bits. The permissions defined for the file owner correspond to the permissions of the ACL_USER_OBJ entry. The permissions defined for the file group correspond to the permissions of the ACL_GROUP_OBJ entry, if the ACL has no ACL_MASK entry. If the ACL has an ACL_MASK entry, then the permissions defined for the file group correspond to the permissions of the ACL_MASK entry. The permissions defined for the other class correspond to the permissions of the ACL_OTHER_OBJ entry.

Modification of the file permission bits results in the modification of the permissions in the associated ACL entries. Modification of the permissions in the ACL entries results in the modification of the file permission bits.

Example: user::rw- user:lisa:rw- group::r-- group:toolies:rw- mask::r-- other::r--

Log filesLog files

Log files are normally kept in /var/logLog files are normally kept in /var/log Read themRead them Syslog logs the system and what is Syslog logs the system and what is

happening on ithappening on it Logcheck is a handy utility which Logcheck is a handy utility which

checks the contents of logs and mails checks the contents of logs and mails anything unusualanything unusual

http://www.psionic.com/abacus/logcheck/http://www.psionic.com/abacus/logcheck/

Advanced: TCP/IP Advanced: TCP/IP FirewallsFirewalls

UNIX and Forensics UNIX and Forensics

Basic enabler: Data is very hard to killBasic enabler: Data is very hard to kill

Privacy Through Media Privacy Through Media MutilationMutilation

degausser

or

orforensically-securefile deletion software(but make sure it works!)

or

Digital evidences are every were Digital evidences are every were in the intended area of work.in the intended area of work.

It’s in side out side the used It’s in side out side the used space, or impeded into other space, or impeded into other strings.strings.

Or even on the cell phones Or even on the cell phones Temp files, print spools, Zipped Temp files, print spools, Zipped

files, windows registry.files, windows registry.

But the anti-forensics can play an But the anti-forensics can play an negative role in the investigation negative role in the investigation process.process.

Hiding Data in Slack Hiding Data in Slack Space w/ Space w/ bmapbmap: File : File carving won’t helpcarving won’t help!!

Dear Mom, Dropp ed the hamster. D idn’t mean to kill He rbie!

To Whom It May C oncern: … Best, Fred

pa

ssword is frid

#include <stdio.h> #include <io.h> void zapQ(void);ay

bmap: tools for creating a simple filesystem in slack space

11

LsofLsofversion 4.63version 4.63

Vic AbellVic Abell

ftp://vic.cc.purdue.edu/pub/tools/ftp://vic.cc.purdue.edu/pub/tools/unix/lsofunix/lsof

FUNCTIONSFUNCTIONS

List open filesList open files– regular filesregular files– directoriesdirectories– device filesdevice files– executing text fileexecuting text file– library (for dynamic load libraries)library (for dynamic load libraries)– network file (socket, NFS file)network file (socket, NFS file)– streamstream

What Has a Process What Has a Process OpenedOpened??

% lsof -p 78957% lsof -p 78957

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMECOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

dc 78957 bishop cwd VDIR 3,131077 2560 8482 dc 78957 bishop cwd VDIR 3,131077 2560 8482 /usr/home/bishop/usr/home/bishop

dc 78957 bishop rtd VDIR 3,131072 512 2 /dc 78957 bishop rtd VDIR 3,131072 512 2 /

dc 78957 bishop txt VREG 3,131077 27452 7953 /usr/bin/dcdc 78957 bishop txt VREG 3,131077 27452 7953 /usr/bin/dc

dc 78957 bishop txt VREG 3,131077 71976 992435 dc 78957 bishop txt VREG 3,131077 71976 992435 /usr/libexec/ld-elf.so.1/usr/libexec/ld-elf.so.1

dc 78957 bishop txt VREG 3,131077 116092 286210 dc 78957 bishop txt VREG 3,131077 116092 286210 /usr/lib/libm.so.2/usr/lib/libm.so.2

dc 78957 bishop txt VREG 3,131077 531444 287065 dc 78957 bishop txt VREG 3,131077 531444 287065 /usr/lib/libc.so.4/usr/lib/libc.so.4

dc 78957 bishop 0u VCHR 5,2 0t735 8176 /dev/ttyp2dc 78957 bishop 0u VCHR 5,2 0t735 8176 /dev/ttyp2

dc 78957 bishop 1u VCHR 5,2 0t735 8176 /dev/ttyp2dc 78957 bishop 1u VCHR 5,2 0t735 8176 /dev/ttyp2

dc 78957 bishop 2u VCHR 5,2 0t735 8176 /dev/ttyp2dc 78957 bishop 2u VCHR 5,2 0t735 8176 /dev/ttyp2

You can also use –c cmdbegin

What Has a User What Has a User OpenedOpened??

# lsof +M -u daemon# lsof +M -u daemon

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMECOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

portmap 84 daemon cwd VDIR 3,131072 512 2 /portmap 84 daemon cwd VDIR 3,131072 512 2 /

portmap 84 daemon rtd VDIR 3,131072 512 2 /portmap 84 daemon rtd VDIR 3,131072 512 2 /

portmap 84 daemon txt VREG 3,131077 11088 64023 /usr/sbin/portmapportmap 84 daemon txt VREG 3,131077 11088 64023 /usr/sbin/portmap

portmap 84 daemon txt VREG 3,131077 71976 992435 /usr/libexec/ld-portmap 84 daemon txt VREG 3,131077 71976 992435 /usr/libexec/ld-elf.so.1elf.so.1

portmap 84 daemon txt VREG 3,131077 24776 287069 /usr/lib/libwrap.so.3portmap 84 daemon txt VREG 3,131077 24776 287069 /usr/lib/libwrap.so.3

portmap 84 daemon txt VREG 3,131077 531444 287065 /usr/lib/libc.so.4portmap 84 daemon txt VREG 3,131077 531444 287065 /usr/lib/libc.so.4

portmap 84 daemon 0u VCHR 2,2 0t0 7828 /dev/nullportmap 84 daemon 0u VCHR 2,2 0t0 7828 /dev/null

portmap 84 daemon 1u VCHR 2,2 0t0 7828 /dev/nullportmap 84 daemon 1u VCHR 2,2 0t0 7828 /dev/null

portmap 84 daemon 2u VCHR 2,2 0t0 7828 /dev/nullportmap 84 daemon 2u VCHR 2,2 0t0 7828 /dev/null

portmap 84 daemon 3u IPv4 0xc7c6dc00 0t0 UDP *:sunrpc[portmapper]portmap 84 daemon 3u IPv4 0xc7c6dc00 0t0 UDP *:sunrpc[portmapper]

portmap 84 daemon 4u IPv4 0xc7c9ed80 0t0 TCP *:sunrpc[portmapper] portmap 84 daemon 4u IPv4 0xc7c9ed80 0t0 TCP *:sunrpc[portmapper] (LISTEN)(LISTEN)

portmapper registration name/number(+M gives this)

NMAPNMAP

Version 3.00Version 3.00

byby fyodor@dhp.comfyodor@dhp.com

http://www.insecure.org/nmaphttp://www.insecure.org/nmap//

2

TOTO

To scan hosts looking for open portsTo scan hosts looking for open ports– TCP connectTCP connect– TYP SYN (TYP SYN (a.k.a.a.k.a. half-open) half-open)– TCP FIN (TCP FIN (a.k.a.a.k.a. stealth) stealth)– TCP SYN/FIN using IP fragmentsTCP SYN/FIN using IP fragments– TCP ftp proxy (TCP ftp proxy (a.k.a.a.k.a. bounce attack) bounce attack)– UCP raw ICMP port unreachableUCP raw ICMP port unreachable– RPC scanRPC scan– ACK/WIN scanACK/WIN scan– Ping scanPing scan

22

SleuthkitSleuthkit

Linux toolkit for forensics written by Linux toolkit for forensics written by Brian CarrierBrian Carrier

http://http://www.sleuthkit.orgwww.sleuthkit.org//

Command line tools for forensic Command line tools for forensic analysis under UNIXanalysis under UNIX

Graphical interface: Autopsy Graphical interface: Autopsy Forensic BrowserForensic Browser

– Timestamps are often crucial in forensics analysisTimestamps are often crucial in forensics analysis– Determining who was using a systemDetermining who was using a system– Determining if a system has been compromisedDetermining if a system has been compromised– Determining when files were downloaded, Determining when files were downloaded,

modified, organizedmodified, organized– Establish whether a person could have actually Establish whether a person could have actually

committed a computer crimecommitted a computer crime– Establish validity of alibisEstablish validity of alibis

– Sleuthkit MAC tools “light up the filesystem”Sleuthkit MAC tools “light up the filesystem”– Idea: Idea: – Create a timeline that begins with the date of Create a timeline that begins with the date of

creation for the first file of interest…creation for the first file of interest…– ……traces all subsequent file access, modification traces all subsequent file access, modification

and creation dates…and creation dates…– Good news: Deleting a file counts as a Good news: Deleting a file counts as a

“modification” and often the deletion dates of files “modification” and often the deletion dates of files can be retrievedcan be retrieved

Popular Commercial Popular Commercial Unix versionsUnix versions Solaris (Sun Microsystems)Solaris (Sun Microsystems) MacOS X (Apple Computer)MacOS X (Apple Computer) AIX (IBM)AIX (IBM)

Windows vs. UnixWindows vs. Unix

Many beginner users find Windows Many beginner users find Windows easer to use than other operating easer to use than other operating systems systems

Linux has been primary used by Linux has been primary used by advanced computer users – advanced computer users – programmers and developersprogrammers and developers

One fundamental difference between One fundamental difference between the two systems is the fact that Linux the two systems is the fact that Linux is "open source". is "open source".

Linux requires 386 architecture to run. Linux requires 386 architecture to run. Thus, it is compatible with any improved Thus, it is compatible with any improved architecture such as 486, Pentium, architecture such as 486, Pentium, Pentium Pro, etc Pentium Pro, etc

There are drivers available for much There are drivers available for much many types of hardware devices many types of hardware devices

Linux program installation seems to be Linux program installation seems to be easier since it only requires a restart easier since it only requires a restart when hardware device has been changed when hardware device has been changed

SecuritySecurity

UNIX seems to be more prepared for protecting UNIX seems to be more prepared for protecting itself because of the beginning developments of itself because of the beginning developments of Linux, UNIX, and FreeBSD which were aimed at Linux, UNIX, and FreeBSD which were aimed at top notch securitytop notch security

UNIX allows does not create registry keys in a UNIX allows does not create registry keys in a way Windows does allowing a user to browse way Windows does allowing a user to browse installed components registry keys, which installed components registry keys, which contain important information contain important information

UNIX is more virus proof since viruses – malicious UNIX is more virus proof since viruses – malicious programs either cannot be run automatically on programs either cannot be run automatically on the Linux machine, or simply are not capable of the Linux machine, or simply are not capable of being executed on a 386 architecture being executed on a 386 architecture

Windows is often known for a large amount of Windows is often known for a large amount of loop holes loop holes

ReferencesReferences

http://www.faqs.org/rfcs/rfc2350.htmlhttp://www.faqs.org/rfcs/rfc2350.html,, http://www.securityfocus.com/infocus/1769http://www.securityfocus.com/infocus/1769 http://sleuthkit.sourceforge.net/informer/sleuthkit-informer-http://sleuthkit.sourceforge.net/informer/sleuthkit-informer-

11.html11.html http://www.cs.uno.edu/~golden/teach.htmlhttp://www.cs.uno.edu/~golden/teach.html CERT (Computer Emergency Response Team)CERT (Computer Emergency Response Team)

– http://www.cert.org/http://www.cert.org/ SysAdmin, Audit, Network, Security (SANS) InstituteSysAdmin, Audit, Network, Security (SANS) Institute

– http://www.sans.org/http://www.sans.org/ Security TrackerSecurity Tracker

– http://www.securitytracker.com/http://www.securitytracker.com/