Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 28. User Security

	COMINIUS: Away! the tribunes do attend you: arm yourselfTo answer mildly; for they are prepar'dWith accusations, as I hear, more strongThan are upon you yet.
	--Coriolanus, III, ii, 138–141.

Although computer systems provide security mechanisms and policies that can protect users to a great degree, users must also take security precautions for a variety of reasons. First, although system controls limit the access of unauthorized users to the system, such controls often are flawed and may not prevent all such access. Second, someone with access to the system may want to attack an authorized user—for example, by reading confidential or private data or by altering files. The success of such attacks may depend on the victim's failure to take certain precautions. Finally, users may notice problems with their accounts, causing them to suspect compromises. The system administrator can then investigate thoroughly.

This chapter considers a user of a workstation on the development network at the Drib. The user's primary job is to develop products or support for the Drib. It is not to secure her system. We explore the precautions, settings, and procedures that such a user can use to limit the effect of attacks on her account.

Policy

Most users have informal policies in mind when they decide on security measures to protect their accounts, data, and programs. Few analyze the policies or even write them down. However, as with the development of a network infrastructure, and of the configuration and operation of a system, users' security policies are central to the actions and settings that protect them.

The components of users' policies that we focus on are as follows.

U1. Only users have access to their accounts.
U2. No other user can read or change a file without the owner's permission.
U3. Users shall protect the integrity, confidentiality, and availability of their files.
U4. Users shall be aware of all commands that they enter, or that are entered on their behalf.

Access

Component U1 requires that users protect access to their accounts. Consider the ways in which users gain access to their accounts. These points of entry are ideal places for attackers to attempt to masquerade as users. Hence, they form the first locus of users' defenses.

Passwords

Section 12.2.2, “Countering Password Guessing,” discussed the theory behind good password selection. Ideally, passwords should be chosen randomly.^[1] In practice, such passwords are difficult to remember. So, either passwords are not assigned randomly, or they require that some information be written down.

Writing down passwords is popularly considered to be dangerous. In reality, the degree of danger depends on the environment in which the system is accessed and on the manner in which the password is recorded.

EXAMPLE: Consider the isolated system that the development network administrators use to create the CD-ROM from which other workstations boot (see Section 27.7.2). This system is kept in a locked room, and only the authorized users of the system have keys. The system is not connected to networks or telephone lines and can be accessed only from within that room. The password for the role account used to construct the CD-ROM is written on a whiteboard in the room. Given that all users of the isolated system are authorized to know that password, and that anyone else entering the room is under observation, this arrangement meets policy component U1. (But see Exercise 1.)

Users with accounts on many systems will choose the same password for each system, choose passwords that follow a pattern, or write passwords down.^[2] On the development network, the first of these is a result of centralizing the user database. Even there, users (especially system administrators) may have multiple accounts, including some on infrastructure systems that do not use the centralized user database. These users must take precautions to protect their passwords.

EXAMPLE: The development network has 10 infrastructure systems (mail, file, Web, and other servers). Anne and Paul are the lead system administrators for the infrastructure systems. They must have privileged access to all those systems. To make the root and Administrator passwords as difficult as possible to guess, those passwords are chosen randomly. But Paul and Anne cannot remember 10 random passwords. Instead, each has decided on a transformation algorithm.^[3] Anne's is “Change the third letter's case, and delete the last character.” Paul's is “Add 2 mod 10 to the first digit, and delete the first letter.” The following table summarizes the actual passwords and what Paul and Anne have written on small pieces of paper that they carry with them.

Actual password	Anne's version	Paul's version
`C04cEJxX`	`C04ceJxX5`	`RC84cEJxX`
`4VX9q3GA`	`4VX9Q3GA2`	`a2VX9q3GA`
`8798Qqdt`	`8798QqDt$`	`67f98Qqdt`
`3WXYwgnw`	`3WXywgnwS`	`Z1WXYwgnw`
`feOioC4f`	`feoioC4f9`	`YfeOioC2f`
`VRd0Hj9E`	`VRD0Hj9Eq`	`pVRd8Hj9E`
`e7Bukcba`	`e7BUkcbaX`	`Xe5Bukcba`
`ywyj5cVw`	`ywYj5cVw*`	`rywyj3cVw`
`5iUikLB4`	`5iUIkLB4m`	`3JiUikLB4`
`af4hC2kg`	`af4HC2kg+`	`daf2hC2kg`

If someone obtains either Anne's or Paul's list, the thief will not be able to determine the correct password before Anne or Paul notices that the list is missing and takes appropriate action.

The users of development network workstations can choose their own passwords, but a proactive password checking program checks the proposed password before accepting it.^[4] The proactive password checker rejects proposed passwords that are deemed too easy to guess.^[5] Most users choose verses of poetry or sayings, and use them to generate their passwords.

If a user chooses a password that is easy to guess, it may cause a violation of policy component U1.

The Login Procedure

To log in, the user must supply her login name and authentication information. First, the user obtains a prompt at which she can enter the information. She then logs in.

The first potential attack arises from the lack of mutual authentication on most systems. An attacker may place a program at the access point that emulates the login prompt sequence. Then, if the user has a reusable password, the name and password are captured. Crude versions of this Trojan horse^[6] save the name and password to a file and then terminate by spawning a legitimate login session. The user will be reprompted for the information. Most users simply assume that they have mistyped some part of the password (which, after all, is usually not printed) and proceed to repeat the login procedure. A more sophisticated version saves the name and password to a file and then spawns the login process and feeds it the name and password. The program terminates, giving control of the access point to the login process.

EXAMPLE: Students at many university sites in the 1970s tried this attack in public terminal rooms. They had varying degrees of success. An early version of one operating system had a feature that defeated the crude versions of this attack. If a user mistyped his name or password, the login program would reprompt him for this information. However, the prompt for the user name would change from “Login:” to “Name:”. If a user saw the prompt “Login:” twice in a row, he had reason to believe that a spoof was underway.

EXAMPLE: Secure Xenix [398] had an alternative approach that is common to systems that desire high assurance authentication of users. When a user wished to log in, he struck a particular combination of keys that created a trusted path to the kernel. No application program could disable this feature; no application program could read or alter the information given to the kernel over that path. The kernel then performed the identification and authentication processing and granted or denied the user access.

The second potential attack arises from an attacker reading the password as it is entered. At a later date, the attacker can reuse the password. This differs from the first attack in that it succeeds even when the user and system mutually authenticate each other. The problem is that the password is no longer confidential.

EXAMPLE: “Shoulder surfing” is a technique in which an attacker watches the target enter the password. Variations on this attack include reading of the characters from kernel variables, which requires that the attacker have access to those structures (usually as a result of a system configuration error^[7] ), and passive wiretapping of an unenciphered connection.

The latter opportunity for reading the password is important. Many protocols, such as ftp and telnet, do not encipher messages. If a user name and password are sent over such a connection, they are visible at every intermediate node and network. Other protocols, such as SSH and SSL, provide enciphered “tunnels” through which other protocols can be sent.^[8] This provides the user with confidentiality even when the protocols themselves do not. In some environments, this is unnecessary. For example, the Drib firewalls block any traffic to the Internet, and hosts and networks within the Drib are trusted not to capture network traffic. In other environments, especially when messages are sent over untrusted links, enciphering of all messages is prudent.

As part of the login procedure, many systems print useful information. If the date, time, and location of the last successful login are shown, the user can verify that no one has used her account since she last did. If the access point is shown, the user can determine if some program is intercepting and rerouting her communications.

EXAMPLE: Suppose a user logs in from the console. After the login, the system prints a message indicating that she last successfully logged in on the previous Tuesday and was currently using a network terminal. The time of login happens to be correct, but the terminal is not, and the user should contact the system administrator. One possible explanation is that a Trojan horse is capturing all commands, saving them in a file, and then passing the commands back to the normal system login process over a network connection.

Policy component U1 suggests that the user should be alert when logging in. If something suspicious occurs, or the link to the system is not physically or cryptographically protected, an unauthorized user may acquire access to the system.

Trusted Hosts

The notion of “trusted hosts” comes from the belief that if two hosts are under the same administrative control, each can rely on the other to authenticate a user. It allows certain mechanisms, such as backups, to be automated without placing passwords or cryptographic keys on the system.

EXAMPLE: The Drib uses a remote backup scheme run from a backup system. It logs into each system as the user “backup” and executes a backup program. The backup program sends the data to be backed up over the network connection. If logging in required a password, then an administrator password would have to be present on the backup system. The Drib development network administrators considered this to be an unacceptable risk. Instead, they made all systems trust the backup host. Then the backup user could simply log in without a password.

The trusted host mechanism requires accurate identification of the connecting host. The primary identification token of a host is its IP address,^[9] but the authentication mechanism can be either the IP address itself [549] or a challenge-response exchange^[10] based on cryptography [1065]. The Drib uses the latter. This prevents IP spoofing.

The development network workstations use the cryptographically based trusted host mechanism. The implementation provides enciphered and integrity-checked connections. Because all development network workstations use the same user information database, a developer need only log into one using a password. She can then access any workstation on that subnet.

Hence, the development network provides an infrastructure that supports this aspect of policy component U1.

Leaving the System

The Drib has many physical and procedural controls that limit access to its facility, but some people not authorized to use the systems have access to the rooms in which those systems reside. For example, custodians clean the rooms. If lights or air conditioning units need to be repaired, maintenance workers need entry. Hence, physical security is not sufficient to control access to the systems.

Users must authenticate themselves to begin a session. However, once authenticated, the user must also control access to the session. A common problem is that users will leave their sessions unattended—for example, by walking away from their monitors to go to the bathroom. If a custodian came into the room, she would see that the monitor was logged in and could enter commands, thereby obtaining access to the system even though she was not authorized to do so.

When a user of a system leaves a session unattended, he must restrict physical access to the endpoint of the session.^[11] When that endpoint is a monitor or terminal, a screen locking program provides an approriate defense against this threat.

Screen locking programs may have security holes. The most common is a “master password” that unlocks the terminal if the user forgets the password used to lock it.^[12]

A modem bank provides similar opportunities for open sessions. When a modem detects carrier drop (that is, when the remote user hangs up), it terminates the session. However, two problems arise. The first and simpler one is that the detection of carrier drop is configurable. Some modems have a physical switch that must be set properly to detect the termination of a telephone call.^[13]

EXAMPLE: The author once accessed a UNIX system through a modem to make some changes in his role as a system administrator. Unfortunately, the configuration of the system had changed so that he was unable to acquire superuser privileges. One not only needed the password but also had to be a member of the group wheel.^[14] The author logged out and hung up. When he accessed the system 20 minutes later, through the same modem bank, the modem connected him to an ongoing session. This session, left when a previous user had hung up without logging out, had super-user privileges. The author made the required changes, sent electronic mail to warn everyone to log out before disconnecting, and then logged out and hung up the telephone. The next day, he checked the modem configurations and reset the switch that detected carrier drop. (It had been bumped accidentally when someone was adding two new modems to the rack of modems.)

The second problem is similar but more subtle. Some older telephone systems mishandle the propagation of call terminations. The result is a race condition,^[15] in which a new connection arrives at the switch and is forwarded before the termination signal arrives at the modem. The effect is exactly the same as in the example above: the modem never sees the carrier drop. If the session is terminated, the modem initiates a new session and the race condition does not affect the system's accessibility, but if the session is unterminated, the new connection will have access to the session.

The Drib's solution to these problems is a mixture of physical and technical means. All workstations have display locking programs that do not accept a master password. They use the user's login password as the key to unlocking the display. If the user is unable to supply that password (for example, if the user forgets it or becomes ill and cannot communicate it), the system administrators can remotely log into the workstation and terminate the process. The procedural mechanisms involve disciplinary action against developers who fail to lock displays, or fail to lock the doors of their offices when they leave. As far as modems go, the Drib does not allow modems to be connected to the development network.

Files and Devices

Users keep information and programs in files. This makes file protection a security mechanism that users can manipulate to refine the protection afforded their data. Similarly, users manipulate the system through devices of various types. Their protection is to some degree under the user's control. This section explores both.

Files

Users must protect confidentiality and integrity of the files to satisfy policy component U2. To this end, they use the protection capabilities of the system to constrain access. Complicating the situation are the interpretation of permissions on the containing directories.

EXAMPLE: Peter is using a UNIX-based system. He wants to allow Deborah to read the file design but prevent other users from doing so. He can use the abbreviated ACL mechanism of standard UNIX systems^[16] to do this in three ways.

If Deborah and Peter are the only members of a group, Peter can make the file owned by that group and readable by that group but not readable by others.

If Deborah is the only member of a group and the UNIX system semantics allow the owner of a file to give the file to a group of which the owner is not a member, Peter can give group ownership of the file to Deborah's group and then set the group ownership privileges as described above.

An alternative approach is to set permissions on the containing directory. Peter can set the permissions of the directory to allow search access only to himself and to the group of which Deborah is the only member by turning on read and execute permission for the group owner of the directory. Then the protections of the file can allow anyone to read the file. Because only Peter and Deborah can search the directory (the execute permission), only they can reach the file.

This example illustrates the cumbersome nature of abbreviated ACLs (see Exercise 3; Exercise 4 explores an approach to the situation in which Peter and Deborah are the only members in common to two groups). Ordinary ACLs make the task considerably simpler.

Users can control several aspects of file protection. The remainder of this section explores some of these aspects.

File Permissions on Creation

Many systems allow users to specify a template of permissions to be given to a file when it is created. The owner can then modify this set as required.

EXAMPLE: When Roger creates a directory on Windows NT, it inherits the ACL of its parent directory.

UNIX-like systems take an alternative approach. A user can identify specific permissions to be denied on creation.

The variable umask contains a set of permissions to be disabled. It uses the nine-bit format of the standard UNIX protection mask, in which the first set of three bits corresponds to the owner, the second set corresponds to the group, and the third set corresponds to others (everyone except the owner and members of the group). The first bit in each triplet controls read access, the second bit controls write access, and the third bit controls execute access. So, if a user sets her umask to 022, then, when she creates a file, group and other write pemissions are turned off, regardless of the permissions she requested. If she wants the group members to have write access, she can use a command such as chmod to enable that access. (See Exercise 5.)

Group Access

Group access provides a selected set of users with the same access rights.^[18] The problem is that the membership of the group is not under the control of the owner of the file. This has an advantage and a disadvantage.

The advantage arises when the group is used as a role.^[19] Then, as users are allowed to assume the role, their access to the file is altered. Because the owner of the file is concerned only with controlling access of those role users, reconfiguration of the access to the role reconfigures user access to the file, which is what the user wants.

EXAMPLE: Tom is working on a project to develop the next generation of widgets, called Widget-NG. All members of the Widget-NG design team are in the group widgetngd. The files that contain the design are group-owned by widgetngd, and the members of that group can read from and write to the file.

Even when the membership of the group changes, the function of the group does not. Hence, the new users are given access to the Widget-NG information. The group ownership mechanism provides that access.

The disadvantage arises when a group is used as a shorthand for a set of specific users. If the membership of the group changes, unauthorized users may obtain access to the file, or authorized users may be denied access to the file.

EXAMPLE: Maria wants her friends Anne and Joan to have access to the file movies. She has the system administrator create a group called maj, which contains those three users, and makes the file group-owned, readable, and writable by the group maj.

The system administrator is later asked to create a group containing Maria, Anne, Joan, and Lorraine. He notices that the group maj contains three of those four users, and he simply adds Lorraine to the group. Now Lorraine can read and alter the file movies, even though Maria never intended for her to do so.

In general, users should limit access as much as possible when creating new files. So ACLs and C-Lists should include as few entries as possible, and permissions for each entry should be as restrictive as possible. Constructs such as the umask should be set to deny permissions to as many users as possible (in the specific case of UNIX systems, umask should deny all permissions to all but the owner, unless there are specific reasons to set it differently).

File Deletion

A user deletes a file. Either the file data or the file name is discarded. The effects of these differ widely.

Computer systems store files on disk. The file attribute table contains information about the file. The file mapping table contains information that allows the operating system to locate the disk blocks that compose the file. Systems represent a file being in a directory in a variety of ways. All involve an entry in the directory for that file, but the entry may contain attribute information (such as permissions and file type) or may merely point to an entry in the file attribute table.

Definition 28–1. A direct alias is a directory entry that points to (names) the file. An indirect alias is a directory entry that points to a special file containing the name of the target file. The operating system interprets the indirect alias by substituting the contents of the special file for the name of the indirect alias file.

All direct aliases that name the same file are equal. Each direct alias is an alternative name for the same file.^[20]

The representation of containment in a directory affects security. If each direct alias can have different permissions, the owner of a file must change the access modes of each alias in order to control access. To avoid this, most systems associate the file attribute information with the actual data, and directory entries consist of a pointer to the file attribute table.

When a user deletes a file, the directory entry is removed. The system tracks the number of directory entries for each file, and when that number becomes 0, the data blocks and table entries for that file are released. This means that deleting a file does not ensure that the file is unavailable; it merely deletes the directory entry.

EXAMPLE: Anna uses a UNIX-based system. She has a program runasanna that is setuid to herself.^[21] She wishes to delete it so that no one can use it. However, if she executes the command

rm runasanna

she will delete the directory entry for that file. If no one else has a direct alias (or, in UNIX terminology, a hard link) to the file, it will be removed from the system.

Sandra, however, has made a direct alias to the file. Anna has deleted the file, but there is still a directory entry (Sandra's direct alias) corresponding to the file, so the file has not been deleted. Sandra can still execute the program. Because it is still setuid to Anna, the program runs with Anna's, not Sandra's, permissions.

On UNIX systems, Anna can delete the file from Sandra's directory only if Sandra has given Anna write permission to the directory. To prevent anyone from using the program, Anna must change the permissions of the program to disable it. She can then delete her direct alias. The first line turns off all access permissions to the file, including the setuid permission.

chmod 000 runasanna
rm runasanna

Sandra will retain her alias, and the program will still reside on disk, but it will be useless.

The second issue affecting file deletion is persistence. When a file is deleted, its disk blocks are returned to the pool of unused disk blocks, and they may be reused. However, the data on them remains, and if an attacker can read those blocks, he may read information that was intended to be confidential. When sensitive files are deleted, the contents should be erased before deletion.^[22]

The third issue lies in the difference between direct and indirect aliases. When a command that affects a file is executed, it may have different effects depending on whether the file is a direct alias or an indirect alias. This may mislead a user into believing that certain information has been protected or deleted when in fact the protection or deletion applied only to the indirect alias and not to the file itself.

EXAMPLE: Suppose Angie executes a command to add read permission to a file for Lucy. If the file is a direct alias, Lucy will be able to read the contents of the file, but if it is an indirect alias, does Lucy have permission to read the file or the indirect alias file? The answer depends entirely on the semantics of the system. The semantics may not be consistent. For example, on Red Hat Linux 7.1, the chmod command changes the permissions of the file named by the indirect alias, whereas the rm command deletes the indirect alias file itself.

Devices

Users communicate with the system through devices. The devices may be virtual, such as network ports, or physical, such as terminals. Policy components U1 and U4 require that these devices be protected so that the user can control what commands are sent to the system in her name and so that others are prevented from seeing her interactions.

Writable Devices

Devices that allow any user to write to them can pose serious security problems. Unless necessary for the correct functioning of the system, devices should restrict write access as much as possible.^[23] Two examples will demonstrate why.

EXAMPLE: Many systems have tape drives set so that anyone can write to them. When a process begins writing, the ACL of the device changes so that only that process (or the user executing the process) can write to the device. However, between the mounting of the media and the execution of the process is an interval during which another user's process can access the tape drive and read, or overwrite, the tape. For this reason, users should always write-protect mounted media unless they are to be altered.^[24] If possible, processes should be attached to such devices, or the devices should be locked to prevent anyone except the user from accessing them, before the media are mounted.

The development network users have a default configuration that denies write privileges to everyone except the user of a terminal.

Smart Terminals

A smart terminal provides built-in mechanisms for performing special functions. Most importantly, a smart terminal can perform a block send. Using this mode, a process can instruct a terminal to send a set of characters that are printed on the screen. The instructions are simply a sequence of characters that the process sends to the terminal. This can be used to implant a Trojan horse.^[25]

EXAMPLE: Robert wants to trick Craig into executing the command

chmod 666 .profile

so that Robert can add commands to Craig's startup file. Robert carefully crafts a letter that contains the following.

Dear Craig,
Please be careful. Someone may ask you to execute
chmod 666 .profile
You shouldn't do it!
Your friend,
Robert
<BLOCK SEND (-2,18), (-2,18)><BLOCK SEND
(-3,0),(3,18)><CLEAR>

(The sequence

<BLOCK SEND (a,b), (c,d)>

sends all characters from screen position (a,b) to position (c,d) to the system, as though the user had typed them. On Craig's terminal, a newline is stored as an invisible character at the end of each line. The sequence

<CLEAR>

clears the terminal screen.) When Craig reads this letter, the command

!chmod 666 .profile

will be sent to the system as though the user had typed it. In this particular mail reading program, the “!” causes the mail program to send the rest of the line to a command interpreter. That interpreter promptly executes the forbidden command and clears the screen to hide the visible traces of the command.

The difference between a smart terminal and a writable terminal is subtle. Only the user of the terminal need have write access to the smart terminal, whereas the earlier attacks required the attacker as well as the user of the terminal to be able to write to the terminal. An attacker must therefore trick the user into reading data in order to spring the smart terminal attack. This requires malicious logic (or, in this context, malicious data).^[26]

Monitors and Window Systems

Window systems provide a graphical user interface to a system. Typically, a process called the window manager controls what is displayed on the monitor and accepts input from input devices. Other processes, called clients, register with the window manager. They can then receive input from the window manager and send output to the window manager. The window manager draws the output on the monitor screen if appropriate. The window manager is also responsible for routing input to the correct client.

The obvious question is how the window manager determines which clients it may talk to. If an attacker is able to register a client with the window manager, the attacker can intercept input and send bogus output to the monitor.

Window systems can use any of the access control mechanisms described in Chapter 15 to control access to the window manager. The granularity of the access control mechanism varies among different window systems.

EXAMPLE: The X window system controls access on the basis of host name or possession of a token [145]. If access is granted to the window manager, the client may control the display. The window manager cannot control which parts of the display, or which clients, the new client communicates with. The X window system offers two modes of control. Neither provides any confidentiality.

The first mode, called the xhost method, determines the name of the host from which the client is trying to connect.^[27] The window manager then checks a list of hosts from which processes are authorized to connect. If the process comes from one of those hosts, access is granted. Otherwise, access is denied.

The second mode, called the xauth method, requires that a process be able to supply a fixed random number (called a magic cookie).^[28] When the X window manager starts, it creates (or is given) a magic cookie. This cookie is stored in the file .Xauthority in the user's home directory. Any client that attempts to connect to the window manager for that user's display must supply that magic cookie. If the process is local and is run by the user, it can obtain the magic cookie directly from the .Xauthority file. If the process is to be run on a remote host, the user must ensure that the process has the magic cookie before it connects to the window manager (this is usually done by copying the .Xauthority file to the remote system).

Processes

Processes manipulate objects, including files. Policy component U3 requires the user to be aware of how processes manipulate files. This section examines several aspects of this requirement.

Copying and Moving Files

Copying a file duplicates its contents. The semantics of the copy command determine if the file attributes are also copied. If the attributes are not copied, the user may need to take steps to preserve the integrity and confidentiality of the file.

EXAMPLE: Suppose Mona Anne wants to copy the file xyzzy on a UNIX system. She gives the following command.

cp xyzzy plugh

If the file plugh does not exist, this command creates it and copies the contents of xyzzy into it. The permissions will be the same as for xyzzy, except that the setuid and setgid attributes will be discarded (see Section 28.4.5).

If the file plugh exists, the command copies the contents of xyzzy into it. It does not alter the permissions of plugh. This is a security problem, because if xyzzy is not readable by everyone but plugh is, the contents of xyzzy will no longer be confidential because anyone reading plugh will learn them.

Similarly, sometimes the semantics of moving files involve copying a file and deleting the original copy. In this case, the file attributes of the move command follow those of the copy command. Otherwise, the move command may preserve the attributes of the original command.

The semantics of the commands, and how well the user knows those semantics and can take steps to handle potential security problems, affect their ability to satisfy policy component U3.

Accidentally Overwriting Files

Part of policy component U3 is to protect users from themselves.^[29] Sometimes people make mistakes when they enter commands. These mistakes can have unpleasant consequences.

EXAMPLE: Scout wants to delete all the files in her directory whose names end in the characters “.o”. She uses the pattern “*.o” to match these file names. The “*” is a wildcard that matches 0 or more characters, so the pattern is read as “all file names that end in .o”. Unfortunately, she mistypes the command, putting a space between the “*” and the “.o” accidentally:

rm * .o

This command says to delete all files in the current directory, and the file “.o”. Scout will discover this when the command prints the error message

.o: No such file or directory

after all the files have been deleted.

Many programs that delete or overwrite files have an interactive mode. Before any file is deleted or overwritten, the program requests confirmation that the user intends for this to happen.^[30] Policy component U3 strongly suggests that these modes be used. In fact, the development workstations have these modes set in user start-up files. The users can disable the modes, but generally do not.

Encryption, Cryptographic Keys, and Passwords

The basis for encryption is trust. Cryptographic considerations aside, if the encryption and decryption are done on a multiuser system, the cryptographic keys are potentially visible to anyone who can read memory and, possibly, swap space. Anyone who can alter the programs used to encipher and decipher the files, or any of the supporting tools (such as the operating system), can also obtain the cryptographic keys or the cleartext data itself. For this reason, unless users trust the privileged users,^[31] and trust that other users cannot acquire the privileges needed to read memory, swap space, or alter the relevant programs, the sensitive data should never be on the system in cleartext.^[32]

EXAMPLE: PGP protects a user's private key by enciphering it with a pass-phrase. Mary Ann receives a letter that the sender has enciphered for confidentiality using PGP. She enters her pass-phrase to allow the PGP deciphering program to obtain her private key. It uses her key to decipher the data encryption key, and then the message. Unknown to Mary Ann, Eve has broken into her system and has implanted a keystroke recording module. When Eve retrieves the log of the session, she will have the pass-phrase, from which she can obtain Mary Ann's private key, and thus her identity (as far as Mary Ann's PGP recipients are concerned).

The saving of passwords on a multiuser system suffers from the same problem. In addition, some programs that allow users to put passwords into a file do not rely on enciphering the passwords; they simply require the user to set file permissions so that only the owner can read the file.

EXAMPLE: An implementation of the ftp client under some versions of the UNIX system allows users to keep account names, host names, and passwords in a file called .netrc. Kathy uses the remote host gleep to store files, so she often connects using ftp. Her .netrc file looks like this:

machine gleep
login kathy
password oi4ety98

The security risks of keeping her information in this file were brought home when one day ftp ignored the file. On investigation, Kathy determined that the .netrc file was readable by all users on the system. By looking at her previously typed commands, Kathy realized that she had mistyped one of them. The unfortunate effect of that command was to make the .netrc file readable.

The circumstances under which a password should reside in a system are few.^[33] Unless unavoidable, no password should reside unenciphered in a system, either on disk or in memory. The Drib has modified its ftp programs to ignore .netrc files. This discourages their use. Furthermore, system administrators have embedded a check for such files in their audit tools that check the systems.

Start-up Settings

Many programs, such as text editors and command interpreters, use start-up information. These variables and files contain commands that are executed when the program begins but before any input is accepted from the user. The set of start-up files, and the order in which they are accessed, affect the execution of the program.

EXAMPLE: When a user logs in to a FreeBSD 4.4 system, her login shell sh initializes itself by accessing start-up information in the following order.

The contents of the start-up file /etc/profile
The contents of the start-up file .profile in the user's home directory
The contents of the start-up file named in the environment variable ENV

If any of these files do not exist, the step is skipped.

The security threat lies in the program's trust of the start-up information. For example, if the environment variable ENV were to name a file that an untrusted user could alter, then that user could insert commands to delete files or give the attacker privileges to perform actions that violate policy. This Trojan horse can be difficult to detect, especially because it can erase itself after execution but before the shell allows interaction.

Limiting Privileges

Users should know which of their programs grant additional privileges to others. They should also understand the implications of granting such privileges.

EXAMPLE: Part of Toni's job as a secretary to the manager of the Drib Development Group is to read mail sent to her boss, Fran. Because Fran knew about the dangers of sharing passwords, she copied the UNIX command interpreter into a file that she owned, and turned on the setuid permission.^[34] This allowed Toni to read Fran's mail.

Toni quickly discovered that the command interpreter allowed her to do anything as Fran. She suggested to Fran that perhaps some other approach could be found.^[35] After some discussion, the two decided to forward to Toni a copy of every letter that Fran received. This enabled Toni to process Fran's mail without having access to her account.

The two had considered an alternative approach—to make a copy of the mail reading program setuid to Fran. Unfortunately, the mail program had an escape mechanism that allowed the user to pass commands to a command interpreter—and that had the same effect as giving Toni the shell.

Malicious Logic

Section 27.2.2 discusses mechanisms for preventing users from bringing malicious software from outside the development network. However, insiders can write malicious programs in order to gain additional privileges or to sabotage others' work. Also, if an attacker breaks in, he may not acquire the desired privileges and may leave traps for authorized users to spring. Hence, users need to take precautions.

Definition 28–2. A search path is a sequence of directories that a system uses to locate an object (program, library, or file).

Because programs rely on search paths, users must take care to set theirs appropriately.

EXAMPLE: Johannes' coworker wants to see Johannes' confidential designs. The coworker has created a small program called ls that will copy the designs to a public area, from which the coworker can retrieve them. She has placed copies of ls in various publicly writable directories, including /tmp. Johannes changed to that directory to clean up files he had left there. Johannes' program search path was

. /bin /usr/bin /usr/local/bin

where “.” means the current directory. Johannes executed the ls program. The command interpreter first looked in the current directory for an executable named ls, found it, and executed it. The coworker got the desired files.

Some systems have many types of search paths. In addition to searching for executables, a common search path contains directories that are used to search for libraries when the system supports dynamic loading. In this case, an attacker can create a new library that the unsuspecting victim will load, much as Johannes executed the wrong program in the example above.^[36]

Part of policy component U4 requires that the users have only trusted directories in their search paths. Here, “trusted” means that only trusted users can alter the contents of the directory. The default start-up files for all the development workstation users have search paths set in this way.^[37]

Electronic Communications

Electronic communications deserves discussion to emphasize the importance of users understanding basic security precautions. Electronic mail may pass through firewalls (as the Drib policy allows; see Section 26.3.3.1). Although it can be checked for malicious content, such checking cannot detect all forms of such content.^[38] Finally, users may unintentionally send out more material than they realize. Hence, users must understand the threats and follow the procedures that are appropriate to the site policy.

Automated Electronic Mail Processing

Some users automate the processing of electronic mail. When mail arrives, a program determines how to handle it. The mail may be stored for the user, or it may be interpreted as a sequence of commands causing execution of either programs already on the system or part of the content of the message, or both. The danger is that the execution may have unintended side effects.

Electronic mail comes from untrusted sources. Hence, in general, the contents of e-mail messages are not trustworthy. Mail programs should be configured not to execute attachments, or indeed any component of the letter.^[39] The trust in the result of such execution is the same as the trust the reader puts in the data contained in the mail message.

Failure to Check Certificates

Electronic signatures can be misleading. In particular, a certificate may validate a signature, but the certificate itself may be compromised, invalid, or expired. Mail reading programs must notify the user of these problems, as well as provide a mechanism for allowing the user to validate certificates.

EXAMPLE: Someone pretending to be a Microsoft employee obtained two certificates that could be used to sign programs under the name of Microsoft Corporation [228].^[40] The issuer (not Microsoft Corporation) immediately revoked both certificates and placed them on the Certificate Revocation List,^[41] but sites that had not received the revocation notice would accept the certificates as valid and could execute malicious logic that the attackers had signed. Although the mechanism involved used Web pages, the generalization to electronic mail is obvious.

The Drib has enhanced all mail reading programs that use certificates to validate the certificates as far as possible. The programs then display the certificates that could not be validated, to allow users to determine how to proceed.

Sending Unexpected Content

Attachments to electronic mail may contain data of which the sender is not aware. When these files are sent, the recipient may see more than the sender intended.

Some programs perform “rapid saves,” in which data is appended to the file and pointers are updated. When the program rereads the file, the document appears as it was last saved, and the extraneous data is ignored. However, if the file is sent to a different system, or if other programs are used to access the file, the “deleted” contents will be accessible.

The users of the development workstations are periodically warned about this risk. Furthermore, all programs with “rapid saves” have them disabled by default.^[42]

Summary

This chapter covered only a few aspects of how users can protect the data and programs with which they work. The security policy of the site and the desires of the user combine to provide a personalized, if unwritten, security policy.

Well-chosen reusable passwords, or (even better) one-time passwords, inhibit unauthorized access. Other authentication mechanisms allow users to control access to some degree on the basis of the host of origin and cryptographic keys (although in some cases the system administrator can override these access controls). Users can prevent interference with their sessions by using enciphered, integrity-checked sessions and by physically securing the monitors or terminals they use to interact with the system (as well as the system of origin, if they are working remotely).

Basic file permission mechanisms help protect the confidentiality and integrity of data and programs. The user can check programs for an “interactive” mode that will require verification of any request to delete or overwrite files. Other aspects of file handling, such as erasing files before deleting them, and verifying that deletion of a file does not delete only an alias and leave the file accessible, also affect file security.

Equally important are the controls on devices. The sophistication of most modern equipment allows devices to be programmed from the computer to which they are connected. Hence, devices should be configured to refuse unexpected or untrusted connections. Ideally, access control mechanisms will provide sufficient granularity to allow access based on users or processes.

Processes act on the user's behalf, and can perform any action that the user requests. Malicious logic, or corrupt input, can cause the process to act in ways that the user does not want. Users can minimize this risk by setting up their environments carefully and by not executing untrusted programs or giving untrusted data to trusted programs.

Research Issues

There is a tension between allowing security features to be highly configurable and expecting users to configure them correctly (as defined by adherence to a security policy). Users view security as an infrastructure measure, designed to support work, and not as an end goal in itself. Because their primary goal is not security, many users find security mechanisms cumbersome and difficult to use. Designing mechanisms that can be readily understood, and that can be configured with a minimum of effort by untrained users, is a critical area of research that has received little attention. Striking the right balance between configurability and usability is a topic that combines security, psychology, and user interfaces.

Exercises

1:	Consider the isolated system described in the first example in Section 28.2.1. If custodians and other people not authorized to use the isolated system were allowed into the room without observation, would that violate policy component U1? Justify your answer.
2:	Reconsider the lock program discussed in Section 28.2.3. The program requires a user to choose a password (rather than using her login password) to lock the screen. Does this violate the principle of psychological acceptability (see Section 13.2.8)? Justify your answer. If a user forgets her password, how might she terminate the program without using the master password? (Hint: Although she cannot use that terminal, she can use another terminal to access the system.) How might a user determine the master password? Discuss steps that the implementer could take to prevent such a discovery. In particular, could a per-system master password be implemented (rather than a single master password for the program)? How?
3:	The example of Peter and Deborah on the UNIX system in Section 28.3.1 assumes that Deborah is the only member, or that Deborah and Peter are the only members, of a group. If this is not so, can Peter give only himself and Deborah access to the file by using the abbreviated ACL? Explain either how he can or why he cannot.
4:	Suppose that Deborah, Peter, and Kathy are the only members of the group proj and that Deborah, Peter, and Elizabeth are the only members of the group exeter. Show how Peter can restrict access to the file design to himself and Deborah using only abbreviated ACLs. (Hint: Consider both design and its containing directory.)
5:	The UNIX umask disables access by default. The Windows scheme enables it. Discuss the implications of enabling access by default and of disabling access by default with respect to security. In particular, which of Saltzer and Schroeder's design principles [865] (see Chapter 13, “Design Principles”) is violated by either enabling or disabling access by default?
6:	Many UNIX security experts say that the umask should be set to 077 (that is, to allow access only to the owner). Why? What problems might this cause?

^[1]See Section 12.2.2.1, “Random Selection of Passwords.”

^[2]See Section 12.2.2.3, “User Selection of Passwords.”

^[3]See Section 12.2.2.1, “Random Selection of Passwords.”

^[4]See Section 12.2.2.3, “User Selection of Passwords.”

^[5]An example set of criteria begins on p. 316.

^[6]See Section 22.2, “Trojan Horses.”

^[7]See Section 27.4.2, “The Development System.”

^[8]See the examples in Section 11.4, “Example Protocols.”

^[9]See Section 14.6.1, “Host Identity.”

^[10]See Section 12.3, “Challenge-Response.”

^[11]See Section 13.2.1, “Principle of Least Privilege.”

^[12]Section 1.4, “Assumptions and Trust,” discusses the role of beliefs underlying security mechanisms such as a screen locking program. Section 18.1.3, “Assurance Throughout the Life Cycle,” discusses the role of assurance in developing software.

^[13]See Section 13.2.2, “Principle of Fail-Safe Defaults.”

^[14]See Section 13.2.6, “Principle of Separation of Privilege.”

^[15]See Section 23.4.5.1, “The xterm Log File Flaw,” and Section 29.5.3.3, “Race Conditions in File Accesses,” for other examples of race conditions.

^[16]See Section 15.1.1, “Abbreviations of Access Control Lists.”

^[17]See Section 15.1.4, “Example: Windows NT Access Control Lists.”

^[18]See Section 14.4, “Groups and Roles.”

^[19]See Section 14.4, “Groups and Roles.”

^[20]See Section 14.2, “Files and Objects.”

^[21]See Section 14.3, “Users.”

^[22]See, for example, Section 21.2.1.1, “TCSEC Functional Requirements,” and Section 21.8.3, “CC Security Functional Requirements.”

^[23]See Section 13.2.1, “Principle of Least Privilege.”

^[24]See Section 13.2.2, “Principle of Fail-Safe Defaults.”

^[25]See Section 22.2, “Trojan Horses.”

^[26]See Chapter 22, “Malicious Logic.”

^[27]See Section 14.6.1, “Host Identity.”

^[28]See Section 14.6.2, “State and Cookies.”

^[29]See Section 13.2.2, “Principle of Fail-Safe Defaults.”

^[30]See Section 13.2.8, “Principle of Psychological Acceptability.”

^[31]Here, “privileged users” means those who can read memory, swap space, or alter system programs.

^[32]See Section 13.2.1, “Principle of Least Privilege.”

^[33]See Section 13.2.2, “Principle of Fail-Safe Defaults.”

^[34]See Section 14.3, “Users.”

^[35]See Section 13.2.1, “Principle of Least Privilege.”

^[36]See Section 23.2.8, “Example: Penetrating a UNIX System.”

^[37]See Section 13.2.2, “Principle pf Fail-Safe Defaults.”

^[38]See Section 22.6, “Theory of Malicious Logic.”

^[39]See Section 22.7.1, “Malicious Logic Acting as Both Data and Instructions.”

^[40]See Section 14.5, “Naming and Certificates.”

^[41]See Section 10.5.2, “Key Revocation.”

^[42]See Section 13.2.8, “Principle of Psychological Acceptability.”

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for
28. User Security

Chapter 28. User Security

Policy

Access

Passwords

The Login Procedure

Trusted Hosts

Leaving the System

Files and Devices

Files

File Permissions on Creation

Group Access

File Deletion

Devices

Writable Devices

Smart Terminals

Monitors and Window Systems

Processes

Copying and Moving Files

Accidentally Overwriting Files

Encryption, Cryptographic Keys, and Passwords

Start-up Settings

Limiting Privileges

Malicious Logic

Electronic Communications

Automated Electronic Mail Processing

Failure to Check Certificates

Sending Unexpected Content

Summary

Research Issues

Further Reading

Exercises

Table of Contents for 28. User Security

Create new playlist

Sign In

Sign Up

Chapter 28. User Security

Policy

Access

Passwords

The Login Procedure

Trusted Hosts

Leaving the System

Files and Devices

Files

File Permissions on Creation

Group Access

File Deletion

Devices

Writable Devices

Smart Terminals

Monitors and Window Systems

Processes

Copying and Moving Files

Accidentally Overwriting Files

Encryption, Cryptographic Keys, and Passwords

Start-up Settings

Limiting Privileges

Malicious Logic

Electronic Communications

Automated Electronic Mail Processing

Failure to Check Certificates

Sending Unexpected Content

Summary

Research Issues

Further Reading

Exercises

Table of Contents for
28. User Security