C SC 340 Lecture 12: Security

[ previous | schedule | next ]

major resources: "Reflections on Trusting Trust", Ken Thompson, Communications of the ACM, 1984
"The Internet Worm Incident", Eugene Spafford, Technical Report CSD-TR-933, Purdue University, 1991.

Distinguishing Protection from Security

Security

Security insures the integrity of system resources and data.

Security violation categories, broadly defined

Security features are needed at many levels

Come up with examples. Consider physical security of the system, human vulnerability, security in the OS itself, security of the network leading into the system.

List of security threats

The textbook introduces quite a few threats from within and without: What a rogue's gallery! Let's work our way through a few of them.

The threats are not all independent of each other.

Discussion of Thompson paper "Reflections on Trusting Trust"

This is Ken Thompson's Turing Award Lecture, printed in August 1984 issue of Communications of the ACM. He and Dennis Ritchie received the award to honor their development of the UNIX operating system at AT&T Bell Labs.

I recently did a Google search on the title of this paper and got nearly 2000 hits. It is available online from several sources.

Summary: Thompson bugged the C compiler (written in C), so that whenever Unix source code (written in C) was compiled, a trap door giving him special access was inserted into Unix binary. The trap door logic and the code that inserts it were placed into the compiler source using the technique of self-replicating code. After compiling the compiler source, the compiler binary contains the self-replicating code. It can then be removed from the compiler source code yet will be propagated every time the compiler source is subsequently compiled. Detectable only through reverse engineering of compiler binary code.

Discussion outline

We will follow this outline, only if we have time to read/discuss this paper.

Morris' Internet Worm of November 1988.

On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental self-propagating program called a worm and injected it into the Internet.

It spread very rapidly.  Due to a bug in the worm, it also spawned many new processes on each infected system, slowing system response to a crawl.  The Internet bogged down, and many system administrators simply disconnected.

Researchers at U.C. Berkeley and other institutions “reverse engineered” the worm’s code and developed a fix within a few hours.  The damage, however, was already widespread.

Morris was convicted of violating the computer Fraud and Abuse Act, and sentenced to three years of probation, 400 hours of community service, and a fine of $10,000. Ironically, his father was chief scientist at the National Computer Security Center at the time of the worm attack.

Significance:  first wake-up call for Internet users that security measures need to be taken.

The worm attacked several “holes” in BSD Unix, which was developed at U.C. Berkeley and distributed free to educational institutions.  Most machines connected to the Internet at that time ran BSD Unix.

Up to three methods of attack were attempted in this sequence: rsh (a facility for invoking a command shell from a remote machine), fingerd (described below), and sendmail (email server).

The fingerd attack

Here is a detailed description of the fingerd attack. We will cover it only if time allows.

One mode of attack was through a bug in BSD Unix fingerd

Partial pseudo-code for the finger program, the fingerd program, and the Morris Internet Worm attack on fingerd.

finger program

  1. get user name from command argument
  2. determines whether request is for local or remote user ("user" or "user@host")
  3. if for local user
    1. does lookup for that user
    2. outputs results to standard output
  4. if for remote user
    1. creates a client socket
    2. connects through socket to remote host (server) port 79, the fingerd port
    3. sends user name to server through socket
    4. reads user information from server through socket
    5. outputs results to standard output
    6. closes connection and socket

fingerd server

  1. Accepts socket connection from client on port 79
  2. (standard input and output are redirected to socket)
  3. Reads user name from client through socket using system call gets(buffer), where buffer is a 512-byte character array. The man page for gets states: Function gets(s) reads a line from standard input into the buffer pointed to by s until either a terminating newline or EOF, which it replaces with '\0'. No check for buffer overrun is performed (see BUGS below).
  4. Forks new process to execute finger with the local user name.
  5. After forking, the parent loops back to step 1 to get next client connection

worm, pretending to be fingerd client

  1. Creates a client socket
  2. Connects through socket to remote host (server) port 79, the fingerd port
  3. Instead of sending user name, sends specially-crafted 536 byte string to server through socket. This overflows the 512 byte buffer. The extra 24 bytes overwrite other parts of the runtime stack to this affect:
  4. When the server attempts to return,
  5. The worm now has a command shell on the remote host and can send commands.
  6. Worm sends commands to copy the remainder of the worm program and then to execute it. Self-propagation!

This account is digested from several web pages, including one containing the source code for the worm!  Do a google search on Morris Internet Worm and you'll get lots of information.

The Slammer worm of January 2003

The possibility of "buffer overflow" attack remains to this day. 

My source for this account is the July 2003 Wired magazine article "Slammed! An inside view of the worm that crashed the Internet in 15 minutes." They caught some grief for publishing the disassembled code of the worm but it is instructive.

Just after midnight on January 25, 2003, the Internet was overwhelmed in 15 minutes by UDP packets targeting Microsoft's SQL Server 2000. The worm took advantage of a buffer overflow vulnerability.

Here's how the worm was constructed and operated

UDP is a prime carrier for such an attack because each packet travels the Internet on its own and arrives at the receiving host unexpected. By contrast, the more robust TCP protocol establishes a client-server connection prior to sending any data packets. TCP has its own vulnerabilities, but that's a different story...

As far as I've been able to determine, the author and source of Slammer have never been identified.

Cryptography

One defense against security threats is cryptography The Texas State Library computer security glossary contains a very specific definition of cryptography "The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form."

Relevant crypto topics include:

Check my CSC 150 cryptography notes for more details.
[ C SC 340 | Peter Sanderson | Math Sciences server  | Math Sciences home page | Otterbein ]

Last updated:
Peter Sanderson (PSanderson@otterbein.edu)