Book Du Toc PDF
Book Du Toc PDF
Book Du Toc PDF
A Hands-on Approach
Wenliang Du
Syracuse University
©2017 by Wenliang Du.
The author of this book has used his best efforts in preparing this book. These efforts include
the development, research, and testing of theories and programs to determine their effectiveness.
The author makes no warranty of any kind, expressed or implied, with regard to these programs
or the documentation contained in this book. The author shall not be liable in any event for
incidental or consequential damages with, or arising out of, the furnishing, performance, or use
of these programs.
ISBN-13: 978-1548367947
ISBN-10: 154836794X
10 9 8 7 6 5 4 3 2 1
iii
Contents
Preface xiii
Acknowledgments xix
I Software Security 1
1 Set-UID Programs 5
1.1 The Need for Privileged Programs . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1.1 The Password Dilemma . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1.2 Different Types of Privileged Programs . . . . . . . . . . . . . . . . . 7
1.2 The Set-UID Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.1 A Superman Story . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.2 How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.3 An Example of Set-UID Program . . . . . . . . . . . . . . . . . . . 9
1.2.4 How to Ensure Its Security . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.5 The Set-GID Mechanism . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3 What Can Go Wrong: What Happened to Superman . . . . . . . . . . . . . . . 10
1.4 Attack Surfaces of Set-UID Programs . . . . . . . . . . . . . . . . . . . . . 12
1.4.1 User Inputs: Explicit Inputs . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.2 System Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.3 Environment Variables: Hidden Inputs . . . . . . . . . . . . . . . . . . 13
1.4.4 Capability Leaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5 Invoking Other Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.5.1 Unsafe Approach: Using system() . . . . . . . . . . . . . . . . . . 16
1.5.2 Safe Approach: Using execve() . . . . . . . . . . . . . . . . . . . . 18
1.5.3 Invoking External Commands in Other Languages . . . . . . . . . . . 19
1.5.4 Lessons Learned: Principle of Isolation . . . . . . . . . . . . . . . . . 20
1.6 Principle of Least Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 Shellshock Attack 43
3.1 Background: Shell Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.2 The Shellshock Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.1 The Shellshock Bug . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.2 Mistake in the Bash Source Code . . . . . . . . . . . . . . . . . . . . 46
3.2.3 Exploiting the Shellshock vulnerability . . . . . . . . . . . . . . . . . 47
3.3 Shellshock Attack on Set-UID Programs . . . . . . . . . . . . . . . . . . . . 48
3.4 Shellshock Attack on CGI Programs . . . . . . . . . . . . . . . . . . . . . . . 49
3.4.1 Experiment Environment Setup . . . . . . . . . . . . . . . . . . . . . 50
3.4.2 How Web Server Invokes CGI Programs . . . . . . . . . . . . . . . . . 50
3.4.3 How Attacker Sends Data to Bash . . . . . . . . . . . . . . . . . . . 51
3.4.4 Launching the Shellshock Attack . . . . . . . . . . . . . . . . . . . . 52
3.4.5 Creating Reverse Shell . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5 Remote Attack on PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5 Return-to-libc Attack 89
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.2 The Attack Experiment: Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.3 Launch the Return-to-libc Attack: Part I . . . . . . . . . . . . . . . . . . . . . 93
5.3.1 Task A: Find the Address of the system() Function . . . . . . . . . 93
5.3.2 Task B: Find the Address of the String "/bin/sh" . . . . . . . . . . 94
5.4 Launch the Return-to-libc Attack: Part II . . . . . . . . . . . . . . . . . . . . . 95
5.4.1 Function Prologue . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.4.2 Function Epilogue . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.4.3 Function Prologue and Epilogue Example . . . . . . . . . . . . . . . . 97
5.4.4 Perform Task C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.4.5 Construct Malicious Input . . . . . . . . . . . . . . . . . . . . . . . . 99
5.4.6 Launch the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
14 Firewall 255
14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
14.2 Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
14.2.1 Packet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
14.2.2 Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
14.2.3 Application/Proxy Firewall . . . . . . . . . . . . . . . . . . . . . . . . 258
14.3 Building a Simple Firewall using Netfilter . . . . . . . . . . . . . . . . . . . . 258
14.3.1 Writing Loadable Kernel Modules . . . . . . . . . . . . . . . . . . . . 259
14.3.2 Compiling Kernel Modules . . . . . . . . . . . . . . . . . . . . . . . . 260
14.3.3 Installing Kernel Modules . . . . . . . . . . . . . . . . . . . . . . . . 260
14.4 Netfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
14.4.1 netfilter Hooks for IPv4 . . . . . . . . . . . . . . . . . . . . . . 262
14.4.2 Implementing a Simple Packet Filter Firewall . . . . . . . . . . . . . . 262
14.5 The iptables Firewall in Linux . . . . . . . . . . . . . . . . . . . . . . . 265
14.5.1 The structure of the iptables Firewall . . . . . . . . . . . . . . . . 265
14.5.2 Traversing Chains and Rule Matching . . . . . . . . . . . . . . . . . . 266
14.5.3 iptables Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 267
14.5.4 Building a Simple Firewall . . . . . . . . . . . . . . . . . . . . . . . . 268
14.6 Stateful Firewall using Connection Tracking . . . . . . . . . . . . . . . . . . . 270
14.6.1 Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
14.6.2 The Connection Tracking Framework in Linux . . . . . . . . . . . . 271
14.6.3 Example: Set up a Stateful Firewall . . . . . . . . . . . . . . . . . . . 272
14.7 Application/Proxy Firewall and Web Proxy . . . . . . . . . . . . . . . . . . . 272
14.8 Evading Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
14.8.1 Using SSH Tunneling to Evade Firewalls . . . . . . . . . . . . . . . . 273
14.8.2 Dynamic Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . 275
14.8.3 Using VPN to Evade Firewall . . . . . . . . . . . . . . . . . . . . . . 276
14.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Preface
This book is for students, computer scientists, computer engineers, programmers, software
developers, network and system administrators, and others who want to learn the principles
of computer security and understand how various security attacks and countermeasures work.
Equipped with the knowledge from this book, readers will be able to design and implement
software systems and applications that are secure against attacks. They will also be able to
evaluate the risks faced by computer and network systems, detect common vulnerabilities in
software, use proper methods to protect their systems and networks, and more importantly, apply
the learned security principles to solve real-world problems.
The author strongly believes in “learning by doing”, so the book takes a hands-on approach.
For each security principle, the book uses a series of hands-on activities to help explain the
principle; readers can touch, play with, and experiment with the principle, instead of just reading
about it. For instance, if a security principle involves an attack, the book guides readers to
actually launch the attack (in a contained environment). If a principle involves a security
mechanism, such as firewall or Virtual Private Network (VPN), the book guides readers to
implement a mini-firewall or mini-VPN. Readers can learn better from such hands-on activities.
All the hands-on activities are conducted in a virtual machine image provided by the author.
They can be downloaded from this URL: http://www.cis.syr.edu/˜wedu/seed/.
Everything needed for the activities have already been set up; readers just need to download
the VM (free), launch it using VirtualBox, and they can immediately work on the activities
covered in the book. This book is based on the Ubuntu12.04 VM image. The author will
regularly upgrade the VM image in every few years.
Most of the activities in the book are based on the author’s SEED labs, which are widely used
by instructors all over the world. These labs are the results of 15 years’ research, development,
and testing efforts conducted by the author and his students in a project called SEED, which has
been funded by the National Science Foundation since 2002.
write better programs so they are immune or more resilient to attacks. The network security part
focuses on the security principles related to the Internet. It not only covers some of well-known
attacks on the Internet, but also covers important defense mechanisms, such as firewall, VPN,
and PKI.
The book is not intended to cover every attack or security measure. The topics covered in
the book are representative in terms of covering the fundamental security principles. Some of
the topics, such as cryptography, system security, and mobile security, are left out for the time
being, so the publication of this book will not be delayed for another one or two years. Some
of these topics will be added in future editions. The contents of this book are sufficient for the
courses that cover the fundamental principles of cybersecurity. For example, two of the author’s
courses (Computer Security and Internet Security) are based on the contents of this book. These
two courses are taught at both undergraduate and graduate levels.
While some chapters depend on previous chapters, most chapters are self-contained, and can
be read independently. The following list describes the partial dependence relationship among
chapters.
• Chapter 1 (Set-UID Programs) is the basis for most chapters in software security. This
chapter describes how the Set-UID mechanism works and gives an overview of the
attacks that can be launched against this type of privileged program. Although there are
many other types of privileged program, we use this type of program to explain how
various attacks work.
• Chapter 4 (Buffer Overflow) is the basis for Chapter 5 (Return-to-libc Attack), because
return-to-libc attacks defeat one of the countermeasures covered in Chapter 4.
• Chapter 7 (Race Condition) and Chapter 8 (Dirty COW) are both related to the race
condition vulnerability, but we suggest readers to read Chapter 7 first, as it is easier to
understand.
• Chapter 12 (Sniffing and Spoofing) is the basis for most of the network attacks covered in
the book, so it should be read first before the other chapters in Network Security.
• Chapter 18 (Public Key Infrastructure) is the basis for Chapter 19 (Transport Layer
Protocol).
use, but for many other instructors who share the same teaching philosophy as he does. All the
labs should be based on one unified environment, so students do not need to spend too much
time learning a new environment for different labs. Moreover, the lab environment should be
easy and inexpensive to set up, so instructors are not hindered even if they have limited time or
resources.
With the above goals in mind and an initial grant from NSF ($74,984.00, Award No. 0231122),
he started the journey in 2002, naming the project as SEED (standing for SEcurity EDucation).
Ten years later, after another NSF grant ($451,682, Award No. 0618680) and the help from over
20 students, he has developed about 30 SEED labs, covering many security topics, including
vulnerabilities, attacks, software security, system security, network security, web security, ac-
cess control, cryptography, mobile security, etc. Most SEED labs have gone through multiple
development-trial cycles—development, trial, improvement, and trial again—in actual courses
at Syracuse University and many other institutes.
The SEED project has been quite successful. As of now, more than 600 instructors worldwide
told the author that they have used some of the SEED labs; more people simply used the
SEED labs without telling (which is perfectly fine), as all the SEED lab materials and the lab
environment are available online, free of charge. To help others use the SEED labs, NSF gave
the author another grant ($863,385.00, Award No. 1303306), so he can organize two training
workshops each year and fund those who are interested to come to attend the workshops. Every
year, about 70 instructors attended the workshops.
xvi CONTENTS
xvii
Acknowledgments
I would like to thank the National Science Foundation for providing the funding support for my
SEED project, which laid the foundation for this book. Since 2002, three NSF grants supported
the SEED project, including Award No. 0231122, 0618680, and 1303306. I especially thank the
Program Director Dr. Victor P. Piotrowski for his leadership in cybsecurity education and for
putting the trust in my SEED project.
The SEED project is built on the joint effort of many of my students over the past 15 years. I
would like to acknowledge the following students for their contributions: Dr. Yousra Aafer, Amit
Ahlawat, Francis Akowuah, Swapnil Bhalode, Ashok Bommisetti, Sudheer Bysani, Bandan
Das, Nishant Doshi, Jinkai Gao, Hao Hao, Lin Huang, Sridhar Iyer, Apoorva Iyer, Dr. Karthick
Jayaraman, Yuexin (Eric) Jiang, Xing Jin, Vishtasp Jokhi, Sharath B. Koratikere, Dr. Tongbo
Luo, Sankara Narayanan, Nagesh Gautam Peri, Karankumar H. Patel, Amey Patil, Balamurugan
Rajagopalan, Dr. Paul Ratazzi, Divyakaran Sachar, Mingdong Shang, Sunil Vajir, Dr. Ronghua
Wang, Shaonan Wang, Yifei Wang, Zhenyu Wang, Kailiang Ying, Haichao Zhang, Dr. Xiao
Zhang, Zhuo Zhang, and Dr. Zutao Zhu.
I would like to acknowledge all the instructors who have used my SEED labs in their classes,
as well as those who attended my workshops. Many of them send me encouraging words,
suggestions, and feedbacks; they also helped spread the words about my SEED labs. They made
my work meaningful, and inspired me to keep moving forward in my project.
Most importantly, I would like to thank my family for their support, for their trust in me,
and for the sacrifice of family time due to the writing of this book.