Post on 20-Jan-2016
constructing secured and safe C/UNIX programs
1
Constructing Secured and Safe C/UNIX Programs
presenter: shilan habibi
constructing secured and safe C/UNIX programs
2
• Secured Network Programming
• Generic Security Service Application Program Interface
• Open Secure Socket Layer Application Program Interface
• Sockets
• Raw Socket
• UNIX Virtualization
Title list:
constructing secured and safe C/UNIX programs
3
Secured Network Programming
• API GSS-APIRPCSECSSLTLS
constructing secured and safe C/UNIX programs
4
Generic Security Service Applicatio Program Interface
GSS-API offers:
• Confidentiality
• integrity
• authentication
• nonrepudiation
constructing secured and safe C/UNIX programs
5
Generic Security Service Application Program Interface
GSS-API does two things:
1- creates a security context between applications
2-secured data transfers between applications
constructing secured and safe C/UNIX programs
6
Generic Security Service Application Program Interface
The GSS-API stack
constructing secured and safe C/UNIX programs
7
Generic Security Service Application Program Interface
RPCSEC_GSS:
• is an additional layer that seamlessly integrates GSS-API with RPC
• it provides all the functionality of GSS-API in a way that is tailored to RPC
constructing secured and safe C/UNIX programs
8
Generic Security Service Application Program Interface
some of the significant APIs from the GSS-API list:• GSS_Acquire_cred• GSS_Import_name• GSS_Init_sec_context• GSS_Accept_sec_context• GSS_Wrap• GSS_Unwrap
constructing secured and safe C/UNIX programs
9
Secure Network Programming
SNP provides secure network communication with:
• data origin authenticity
• data integrity
• data confidentiality services on top of the usual stream
• datagram services provided by sockets or TCP/IP
constructing secured and safe C/UNIX programs
10
Secure Network Programming
SNP has three protocols:
• a secure bootstrap protocol
• a user–host mutual authentication protocol
• a protocol for named service
constructing secured and safe C/UNIX programs
11
Secure Network Programming
list of services provided by SNP:• Persistent delivery (PD)
• Best effort delivery (BED)
• Sequenced delivery (SD)
• Data confidentiality (DC)
• Data integrity (DI)
• Data origin authenticity)DOA)
• Data destination authenticity (DDA)
• Connection authenticity (CA)
constructing secured and safe C/UNIX programs
12
Secure Network Programming
For initialization, SNP off ers the following API:
• int snp (int family, int type, int protocol)
• int snp_bind (int snp_ep, struct sockaddr *local_addr, int addr_len)
• int snp_listen (int snp_ep, int backlog)
• int snp_attach (int snp_ep, struct name_s *local_name, struct name_s *peer_name)
constructing secured and safe C/UNIX programs
13
Secure Network Programming
For connection establishment, SNP off ers the following API:
• int snp_connect (int snp_ep, struct sockaddr *peer_addr, int peer_addr_len)
• int snp_accept (int snp_ep, struct sockaddr *peer_addr, int peer_addr_len)
constructing secured and safe C/UNIX programs
14
Secure Network Programming
For data transfer, SNP offers the following API:• int snp_write (int snp_ep, char *buf, int nbytes)
• int snp_read (int snp_ep, char *buf, int nbytes)
• int snp_send (int snp_ep, char *buf, int nbytes, int fl ags)
• int snp_recv (int snp_ep, char *buf, int nbytes, int fl ags)
• int snp_sendto (int snp_ep, char *buf, int nbytes, int fl ags, struct sockaddr *to, int tolen)
• int snp_recvfrom (int snp_ep, char *buf, int nbytes, int fl ags, struct sockaddr *from, int *fromlen)
constructing secured and safe C/UNIX programs
15
Secure Network Programming
For connection release, SNP off ers the following API:
• int snp_close (int snp_ep)
• int snp_shutdown (int snp_ep, int how)
constructing secured and safe C/UNIX programs
16
Secure Network Programming
For utility-related functions, SNP off ers the following API:
• int snp_setopt (int snp_ep, int level, int optname, char *optval, int optlen)
• Int snp_perror (const char *s).
• int snp_getpeerid (int snp_ep, struct name_s *peer_name).
constructing secured and safe C/UNIX programs
17
Open Secure Socket Layer Application Program Interface
• SSL
• TLS
• OpenSSL
constructing secured and safe C/UNIX programs
18
Open Secure Socket Layer Application Program Interface
OpenSSL ssl library functions deals with the following data structur:
• SSL_METHOD
• SSL_CIPHER
• SSL_CTX
• SSL_SESSION
• SSL
constructing secured and safe C/UNIX programs
19
Open Secure Socket Layer Application Program Interface
Currently the OpenSSL ssl library exports API functions:
• API dealing protocol methods
• API dealing ciphers
• API dealing protocol context
• API dealing sessions
• API dealing connections
constructing secured and safe C/UNIX programs
20
Sockets
Socket(2) creates an endpoint for communication and returns a descriptor.
A server typically calls socket(2), bind(2), listen(2), and accept(2) or select(2).
A client typically calls socket(2), bind(2). send(2), recv(2), write(2), or read(2).
for data exchange. close(2) or shutdown(2) to close the socket.
constructing secured and safe C/UNIX programs
21
Raw Socket
• You will never need to write code using raw socket.Raw socket is a computer networking term used to describe a socket that allows access to packet headers on incoming
and outgoing packets.
• To open a raw socket
int fd = socket (PF _ INET, SOCK _ RAW, IPPROTO _ TCP);
constructing secured and safe C/UNIX programs
22
UNIX Virtualization
• Virtualization is a philosophy wherein the
operating environment abstracts the
computer resources. UNIX offers memory
virtualization where UNIX attempts to offer
an unlimited memory to the application or the user.
constructing secured and safe C/UNIX programs
23
UNIX Virtualization
• Chroot in UNIX is another type of virtualization. It is
used to restrict access to fi les and directories.
• #include <unistd.h>
chdir(“/foo/bar”);
chroot(“/foo/bar”);
setuid(non zero UID);
constructing secured and safe C/UNIX programs
24
REGARD