SlideShare una empresa de Scribd logo

Tlpi chapter 38 writing secure privileged programs

Shu-Yu Fu
Shu-Yu Fu
Tecnología
1 de 17
TLPI - Chapter 38 Writing Secure Privileged Programs Shu-Yu Fu (shuyufu@gmail.com)
In This Chapter We discuss a set of recommended practices for secure programming, and describes various pitfalls that should be avoided when writing privileged programs.
Privileged Programs ● have access to features and resources that are not available to ordinary users. ● was started under a privileged user ID. ● has its set-user-ID or set-group-ID permission bit set. ○ When a set-user-id (set-group-ID) program is execed, it changes the effective user (group) ID of the process to be the same as the owner (group) of the program file.
Is a Set-User-ID or Set-Group-ID Program Required? ● Avoid writing them whenever possible. ● Is there an alternative way? ● Isolate the functionality that needs privilege into a separate program. ● It isn't always necessary for a set-user-ID program to give a process root credentials. ● A dedicated group account (group ID) for the program.
Operate with Least Privilege ● The saved set-user-ID facility was designed for this purpose. uid_t orig_euid; orig_euid = geteuid(); /* Drop privileges */ if (seteuid(getuid()) == -1) errExit("seteuid"); /* Do unprivileged work*/ /* Hold privileges only while they are required. */ /* Reacquire privileges */ if (seteuid(orig_euid) == -1) errExit("seteuid"); /* Do privileged work*/ /* We must gain privilege prior to dropping it permanently */ /* Drop privileges permanently when they will never agin be required. */ /* Use setuid() for set-user-root and setreuid() (or setresuid()) for set-user-ID program */ if (setuid(getuid() == -1) errExit("setuid");
Operate with Least Privilege (cont.) ● [Tsafrir et al., 2008] recommends that applications should use system specific nonstandard system calls for changing process credentials. ● Not only check that a credential-changing system call has succeeded, but also to verify that the change occurred as expected. ● We should drop/raise the privileged effective user ID last/first when dropping/raising privileged IDs.
Be Careful When Executing a Program ● Drop privileges permanently before execing another program. ● Avoid executing a shell (or other interpreter) with privileges. ● Close all unnecessary file descriptors before an exec().
Avoid Exposing Sensitive Information ● When a program reads sensitive information, it should perform whatever processing is required, and then immediately erase the information from memory. ○ The virtual memory page may be swapped out, and could then be read from the swap area by a privileged program. ○ If the process receives a signal that causes it to produce a core dump file, then that file may be read to obtain the information.
Confine the Process ● Consider using capabilities The Linux capabilities scheme divides the traditional all-or-nothing UNIX privilege scheme into distinct units called capabilities. ● Consider using a chroot jail to limit the set of directories and files that a program may access. However, a chroot jail in insufficient to confine a set-user-ID-root program.
Beware of Signals and Race Conditions ● We need to consider the race conditions that can occur if a signal is delivered at any point in the execution of the program. ○ Time-of-check, time-of-use race condition.
Pitfalls When Performing File Operations and File I/O ● The process umask should be set to a value that ensures that the process never creates publicly writable files. ● Use of seteuid() or setreuid() may required in order ensure that a newly created file doesn't belong to the wrong user. ● Checks on file attributes should be performed on open file descriptors. (Avoid time-of-use, time-of-check problem) ● If a program must ensure that it is the creator of a file, then the O_EXCL flag should be used when calling open(). ● A privileged program should avoid creating or relying on files in publicly writable directories.
Don't Trust Inputs or the Environment ● Don't trust the environment list. ○ Especially PATH and IFS. ● Handle untrusted user inputs defensively. ○ User-created files, command-line arguments, interactive inputs, CGI inputs, email messages, environment variables, IPC (FIFOs, shared memory, and so on) accessible by untrusted users, and network packets. ● Avoid unreliable assumptions about the process's run-time environment.
Beware of Buffer Overruns ● Never use gets(), and employ functions such as scanf(), sprintf(), strcpy(), and strcat() with caution. ○ stack crashing (a.k.a. stack smashing) ■ address-space-randomization ■ NX (no execute) ● Alternatives, snprintf(), strncpy(), and strncat(). ○ The caller must check if truncation occurred. ○ Using strncpy() can carry a performance impact. ○ If the maximum size value given to strncpy() is not long enough to permit the inclusion of the terminating null character, the target string is not null-terminated.
Beware of Denial-of-Service Attacks ● Denial-of-service attacks attempt to make a service unavailable to legitimate clients. ○ A server should be programmed to rigorously check its input and avoid buffer overruns. ○ The Server should perform load throttling. ○ A server should employ timeouts for communication with a client. SYN flood ○ In the event of an overload, the server should log suitable messages. However, logging should be throttled. ○ The server should be programmed so that it doesn't crash in the face of an unexpected load. ○ Data structures should be designed to avoid algorithmic- complexity attacks. ○ Spoofing attack
Check Return Statuses and Fail Safely ● A program should always check to see whether system calls and library functions succeed, and whether they return expected values. ● If a privileged program encounters an unexpected situation, then the appropriate behavior is usually either to terminate or, in the case of a server, to drop the client request.
Summary In this chapter, we presented a set of guidelines for writing privileged programs. The aim of these guidelines is twofold: to minimize the chances of a privileged program being subverted, and to minimize the damage that can be done in the event that a privileged program is subverted.
Reference ● Oracle LinuxSecurity Guide for Release 6, Chapter 4. Security Considerations for Developers ● Secure Programming for Linux and Unix HOWTO

Recomendados

CSI-503 - 3. Process Scheduling
CSI-503 - 3. Process SchedulingCSI-503 - 3. Process Scheduling
CSI-503 - 3. Process Schedulingghayour abbas
 
Concurrent process
Concurrent processConcurrent process
Concurrent processYogendra Rwl
 
Concurrency
ConcurrencyConcurrency
Concurrencyrizwanaabassi
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsShu-Yu Fu
 
TLPI - 6 Process
TLPI - 6 ProcessTLPI - 6 Process
TLPI - 6 ProcessShu-Yu Fu
 
TLPI - Chapter 44 Pipe and Fifos
TLPI - Chapter 44 Pipe and FifosTLPI - Chapter 44 Pipe and Fifos
TLPI - Chapter 44 Pipe and FifosShu-Yu Fu
 
程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5Shu-Yu Fu
 
程式設計師的自我修養 Chapter 1
程式設計師的自我修養 Chapter 1程式設計師的自我修養 Chapter 1
程式設計師的自我修養 Chapter 1Shu-Yu Fu
 

Recomendados

CSI-503 - 3. Process Scheduling
CSI-503 - 3. Process SchedulingCSI-503 - 3. Process Scheduling
CSI-503 - 3. Process Schedulingghayour abbas
 
Concurrent process
Concurrent processConcurrent process
Concurrent processYogendra Rwl
 
Concurrency
ConcurrencyConcurrency
Concurrencyrizwanaabassi
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsShu-Yu Fu
 
TLPI - 6 Process
TLPI - 6 ProcessTLPI - 6 Process
TLPI - 6 ProcessShu-Yu Fu
 
TLPI - Chapter 44 Pipe and Fifos
TLPI - Chapter 44 Pipe and FifosTLPI - Chapter 44 Pipe and Fifos
TLPI - Chapter 44 Pipe and FifosShu-Yu Fu
 
程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5Shu-Yu Fu
 
程式設計師的自我修養 Chapter 1
程式設計師的自我修養 Chapter 1程式設計師的自我修養 Chapter 1
程式設計師的自我修養 Chapter 1Shu-Yu Fu
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Liferay portals in real projects
Liferay portals in real projectsLiferay portals in real projects
Liferay portals in real projectsIBACZ
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing BasicsNSConclave
 
Apache flink
Apache flinkApache flink
Apache flinkpranay kumar
 
Stability Patterns for Microservices
Stability Patterns for MicroservicesStability Patterns for Microservices
Stability Patterns for Microservicespflueras
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.pptDrBasemMohamedElomda
 
Lecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdfLecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdfssuserf3a6ff
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)Rick Hwang
 
Answers
AnswersAnswers
Answerssangamesh kumbar
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerBob Killen
 
團隊之美 第三篇 實踐 (Part 1)
團隊之美 第三篇 實踐 (Part 1)團隊之美 第三篇 實踐 (Part 1)
團隊之美 第三篇 實踐 (Part 1)Shu-Yu Fu
 
團隊之美 第二篇 目標
團隊之美 第二篇 目標團隊之美 第二篇 目標
團隊之美 第二篇 目標Shu-Yu Fu
 

Más contenido relacionado

Similar a Tlpi chapter 38 writing secure privileged programs

Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Liferay portals in real projects
Liferay portals in real projectsLiferay portals in real projects
Liferay portals in real projectsIBACZ
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing BasicsNSConclave
 
Stability Patterns for Microservices
Stability Patterns for MicroservicesStability Patterns for Microservices
Stability Patterns for Microservicespflueras
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Lecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdfLecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdfssuserf3a6ff
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)Rick Hwang
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerBob Killen
 

Similar a Tlpi chapter 38 writing secure privileged programs (20)

Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Liferay portals in real projects
Liferay portals in real projectsLiferay portals in real projects
Liferay portals in real projects
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
 
Apache flink
Apache flinkApache flink
Apache flink
 
Stability Patterns for Microservices
Stability Patterns for MicroservicesStability Patterns for Microservices
Stability Patterns for Microservices
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Lecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdfLecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdf
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)
 
Answers
AnswersAnswers
Answers
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 

Más de Shu-Yu Fu

團隊之美 第三篇 實踐 (Part 1)
團隊之美 第三篇 實踐 (Part 1)團隊之美 第三篇 實踐 (Part 1)
團隊之美 第三篇 實踐 (Part 1)Shu-Yu Fu
 
團隊之美 第二篇 目標
團隊之美 第二篇 目標團隊之美 第二篇 目標
團隊之美 第二篇 目標Shu-Yu Fu
 
TLPI - 7 Memory Allocation
TLPI - 7 Memory AllocationTLPI - 7 Memory Allocation
TLPI - 7 Memory AllocationShu-Yu Fu
 
程式設計師的自我修養 Chapter 10 記憶體
程式設計師的自我修養 Chapter 10 記憶體程式設計師的自我修養 Chapter 10 記憶體
程式設計師的自我修養 Chapter 10 記憶體Shu-Yu Fu
 
大家來學GObject
大家來學GObject大家來學GObject
大家來學GObjectShu-Yu Fu
 
程式設計師的自我修養 Chapter 3.4
程式設計師的自我修養 Chapter 3.4程式設計師的自我修養 Chapter 3.4
程式設計師的自我修養 Chapter 3.4Shu-Yu Fu
 
程式設計師的自我修養 Chapter 8
程式設計師的自我修養 Chapter 8程式設計師的自我修養 Chapter 8
程式設計師的自我修養 Chapter 8Shu-Yu Fu
 

Más de Shu-Yu Fu (7)

團隊之美 第三篇 實踐 (Part 1)
團隊之美 第三篇 實踐 (Part 1)團隊之美 第三篇 實踐 (Part 1)
團隊之美 第三篇 實踐 (Part 1)
 
團隊之美 第二篇 目標
團隊之美 第二篇 目標團隊之美 第二篇 目標
團隊之美 第二篇 目標
 
TLPI - 7 Memory Allocation
TLPI - 7 Memory AllocationTLPI - 7 Memory Allocation
TLPI - 7 Memory Allocation
 
程式設計師的自我修養 Chapter 10 記憶體
程式設計師的自我修養 Chapter 10 記憶體程式設計師的自我修養 Chapter 10 記憶體
程式設計師的自我修養 Chapter 10 記憶體
 
大家來學GObject
大家來學GObject大家來學GObject
大家來學GObject
 
程式設計師的自我修養 Chapter 3.4
程式設計師的自我修養 Chapter 3.4程式設計師的自我修養 Chapter 3.4
程式設計師的自我修養 Chapter 3.4
 
程式設計師的自我修養 Chapter 8
程式設計師的自我修養 Chapter 8程式設計師的自我修養 Chapter 8
程式設計師的自我修養 Chapter 8
 

Último

The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Tlpi chapter 38 writing secure privileged programs

  • 1. TLPI - Chapter 38 Writing Secure Privileged Programs Shu-Yu Fu (shuyufu@gmail.com)
  • 2. In This Chapter We discuss a set of recommended practices for secure programming, and describes various pitfalls that should be avoided when writing privileged programs.
  • 3. Privileged Programs ● have access to features and resources that are not available to ordinary users. ● was started under a privileged user ID. ● has its set-user-ID or set-group-ID permission bit set. ○ When a set-user-id (set-group-ID) program is execed, it changes the effective user (group) ID of the process to be the same as the owner (group) of the program file.
  • 4. Is a Set-User-ID or Set-Group-ID Program Required? ● Avoid writing them whenever possible. ● Is there an alternative way? ● Isolate the functionality that needs privilege into a separate program. ● It isn't always necessary for a set-user-ID program to give a process root credentials. ● A dedicated group account (group ID) for the program.
  • 5. Operate with Least Privilege ● The saved set-user-ID facility was designed for this purpose. uid_t orig_euid; orig_euid = geteuid(); /* Drop privileges */ if (seteuid(getuid()) == -1) errExit("seteuid"); /* Do unprivileged work*/ /* Hold privileges only while they are required. */ /* Reacquire privileges */ if (seteuid(orig_euid) == -1) errExit("seteuid"); /* Do privileged work*/ /* We must gain privilege prior to dropping it permanently */ /* Drop privileges permanently when they will never agin be required. */ /* Use setuid() for set-user-root and setreuid() (or setresuid()) for set-user-ID program */ if (setuid(getuid() == -1) errExit("setuid");
  • 6. Operate with Least Privilege (cont.) ● [Tsafrir et al., 2008] recommends that applications should use system specific nonstandard system calls for changing process credentials. ● Not only check that a credential-changing system call has succeeded, but also to verify that the change occurred as expected. ● We should drop/raise the privileged effective user ID last/first when dropping/raising privileged IDs.
  • 7. Be Careful When Executing a Program ● Drop privileges permanently before execing another program. ● Avoid executing a shell (or other interpreter) with privileges. ● Close all unnecessary file descriptors before an exec().
  • 8. Avoid Exposing Sensitive Information ● When a program reads sensitive information, it should perform whatever processing is required, and then immediately erase the information from memory. ○ The virtual memory page may be swapped out, and could then be read from the swap area by a privileged program. ○ If the process receives a signal that causes it to produce a core dump file, then that file may be read to obtain the information.
  • 9. Confine the Process ● Consider using capabilities The Linux capabilities scheme divides the traditional all-or-nothing UNIX privilege scheme into distinct units called capabilities. ● Consider using a chroot jail to limit the set of directories and files that a program may access. However, a chroot jail in insufficient to confine a set-user-ID-root program.
  • 10. Beware of Signals and Race Conditions ● We need to consider the race conditions that can occur if a signal is delivered at any point in the execution of the program. ○ Time-of-check, time-of-use race condition.
  • 11. Pitfalls When Performing File Operations and File I/O ● The process umask should be set to a value that ensures that the process never creates publicly writable files. ● Use of seteuid() or setreuid() may required in order ensure that a newly created file doesn't belong to the wrong user. ● Checks on file attributes should be performed on open file descriptors. (Avoid time-of-use, time-of-check problem) ● If a program must ensure that it is the creator of a file, then the O_EXCL flag should be used when calling open(). ● A privileged program should avoid creating or relying on files in publicly writable directories.
  • 12. Don't Trust Inputs or the Environment ● Don't trust the environment list. ○ Especially PATH and IFS. ● Handle untrusted user inputs defensively. ○ User-created files, command-line arguments, interactive inputs, CGI inputs, email messages, environment variables, IPC (FIFOs, shared memory, and so on) accessible by untrusted users, and network packets. ● Avoid unreliable assumptions about the process's run-time environment.
  • 13. Beware of Buffer Overruns ● Never use gets(), and employ functions such as scanf(), sprintf(), strcpy(), and strcat() with caution. ○ stack crashing (a.k.a. stack smashing) ■ address-space-randomization ■ NX (no execute) ● Alternatives, snprintf(), strncpy(), and strncat(). ○ The caller must check if truncation occurred. ○ Using strncpy() can carry a performance impact. ○ If the maximum size value given to strncpy() is not long enough to permit the inclusion of the terminating null character, the target string is not null-terminated.
  • 14. Beware of Denial-of-Service Attacks ● Denial-of-service attacks attempt to make a service unavailable to legitimate clients. ○ A server should be programmed to rigorously check its input and avoid buffer overruns. ○ The Server should perform load throttling. ○ A server should employ timeouts for communication with a client. SYN flood ○ In the event of an overload, the server should log suitable messages. However, logging should be throttled. ○ The server should be programmed so that it doesn't crash in the face of an unexpected load. ○ Data structures should be designed to avoid algorithmic- complexity attacks. ○ Spoofing attack
  • 15. Check Return Statuses and Fail Safely ● A program should always check to see whether system calls and library functions succeed, and whether they return expected values. ● If a privileged program encounters an unexpected situation, then the appropriate behavior is usually either to terminate or, in the case of a server, to drop the client request.
  • 16. Summary In this chapter, we presented a set of guidelines for writing privileged programs. The aim of these guidelines is twofold: to minimize the chances of a privileged program being subverted, and to minimize the damage that can be done in the event that a privileged program is subverted.
  • 17. Reference ● Oracle LinuxSecurity Guide for Release 6, Chapter 4. Security Considerations for Developers ● Secure Programming for Linux and Unix HOWTO