1 of 111 Cybersecurity Summit 2004 Some Thoughts on Network and Computer Security in an Academic...

1 of 111Cybersecurity Summit 2004

Some Thoughts on Network and Computer Security in an

Academic Environment

Bill CheswickLumeta Corp.

[email protected]://www.cheswick.com/


Goals

• Some thoughts that might be relevant

• How do you secure things when you absolutely have to. (Intellink)

• Some (best?) practices I’ve seen or tried

• Suggest some research projects and directions that might help in the longer run

• Perhaps some keynote thoughts relevant for the panels


This is possibly the hardest problem in computer security

• Academic environment means free and open access

• Security generally engineers lack the clout to enforce security policies

• Clients access the major resources from client hosts around the world

• Some assembly required

72 slides 4 of 112Cybersecurity Summit 2004

What does it mean to win?

Threat models


What does it mean to win?

• Keeping the hacker out of critical systems?– What are your critical systems, anyway?

• Catching him/them?

• Nobody notices that everything is working?

• No mention on the front pages of major newspapers?

• No angry probing calls from your funding agency?


Threat models at supercomputer centers

• Embarrass system administrators

• Establish base for attacking other sites?

• Maximize downtime

• Attacks on science: corruption of data or programs– Scientists used to share ideas, now they

share programs– The dirty word nebula in the Virgo cluster

• Attack by a patient Luddite


Case studies

• Me– Limited user base– Highly compliant users– Low admin/machine ratio

• Intellink


This talk is mostly about *nix systems, except as noted

• Most big iron runs some *nix OS, proprietary or not

• Microsoft has their own problems…


Microsoft’s Augean Stables:a task for Hercules

• 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows

• It’s been getting worse since Windows 95


Network and Host security as I see it


Traditional view of host software

Kernel

User programs


This traditional view of host software is wrong

Kernel

User programs


User-level programs use the kernel to interface with the outside world

Kernel

User programs


Example: SYN packet attacks

Kernel

UserprogramsAttacking packets are never

seen at user level….


Example: SYN packet attacks

Kernel

UserprogramsAttacking packets are never

seen at user level….

…although user mode enablesthe kernel listener.


Direct attacks on the kernel are fairly rare

Kernel

Userprograms

TCP/IP


Direct attacks on the kernel are fairly rare

• Though the software is complex and hard to test, it’s hard to do more than break the kernel

• Used mostly for DOS attacks

• Ping ‘o death

• Random IP options game (crashme)

Kernel

Userprograms

TCP/IP


Some ways to break into a host:

1) subvert a privileged network daemon


Subvert a privileged network daemon

Kernel

Userprograms

TCP/IP

Networkdaemon


Rate a computer’s network security?

netstat –an | wc -l


Windows MEActive Connections - Win ME

Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*


Windows 2000

Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*


Windows XP: this laptop, pre-SP2 Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*


It is easy to dump on Microsoft, but many others have made the

same mistakes before


ftp stream tcp nowait root /v/gate/ftpdtelnet stream tcp nowait root /usr/etc/telnetdshell stream tcp nowait root /usr/etc/rshdlogin stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internalecho stream tcp nowait root internaldiscard stream tcp nowait root internalchargen stream tcp nowait root internaldaytime stream tcp nowait root internaltime stream tcp nowait root internalecho dgram udp wait root internaldiscard dgram udp wait root internalchargen dgram udp wait root internaldaytime dgram udp wait root internaltime dgram udp wait root internalsgi-dgl stream tcp nowait root/rcv dglduucp stream tcp nowait root /usr/lib/uucp/uucpd

Default servicesSGI workstation: mid 1990s


More default services

mountd/1 stream rpc/tcp wait/lc root rpc.mountdmountd/1 dgram rpc/udp wait/lc root rpc.mountdsgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountdsgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountdrstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamdsgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerdtcpmux/sgi_printer stream tcp nowait root ?print/printerd webproxy stream tcp nowait root /usr/local/etc/webserv


FreeBSD partition, this laptop(getting out of the game)

Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address tcp4 0 0 *.22 tcp6 0 0 *.22


“Best block is not be there”

- Mr. Miyagi (Pat Morita)

Karate Kid


Secure network services for *nix

• Postfix

• Openssh– But if the call comes…


Properties of these services

• The authors cared very much about security from the first moment of design

• The code has a low rate of “improvements,” which gives the code a chance to stabilize

• The security record for these is excellent, though not perfect

• Careful efforts by a few have benefited us all


Some popular network services I don’t like

• NFS– Not Unix file system semantics– RPC implementation is complicated and

dangerous

• Still sniffable– POP3– SNMP– Instant messaging


Research/project/funding suggestion

• Rewrite or audit the software we rely on the most– This has been done to some extent…see

below– Libc, ASN.1 compiler, C compiler, kernel

calls (“Setuid demystified”)

• Perhaps Knuth would write a new inetd…


The Pretty GoodWall of China


Perimeter defenses don’t work…

• If the perimeter is too big, or

• If you have to let the barbarians in



2) subvert a user account and break into root or admin using setuid

programs


Subvert a user account and break into root or admin

Kernel

TCP/IP

User

Setuidprogram


“Unix is an administrative nightmare.”

-- Dennis Ritchie


“GUIs are not the answer to Unix’s administrative

nightmare.”

-- me


Rate a Unix systems host security?

find / -perm -4000 -user root -print | wc -l


/bin/rcp/sbin/ping/sbin/ping6/sbin/shutdown/usr/X11R6/bin/Xwrapper/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/keyinfo/usr/bin/keyinit/usr/bin/lock/usr/bin/crontab/usr/bin/opieinfo/usr/bin/opiepasswd/usr/bin/rlogin/usr/bin/quota/usr/bin/rsh/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/chpass/usr/bin/login

/usr/bin/passwd/usr/bin/at/usr/bin/ypchsh/usr/bin/ypchfn/usr/bin/ypchpass/usr/bin/chsh/usr/bin/chfn/usr/bin/yppasswd/usr/bin/batch/usr/bin/atrm/usr/bin/atq/usr/local/bin/screen/usr/local/bin/sudo/usr/local/bin/lppasswd/usr/sbin/mrinfo/usr/sbin/mtrace/usr/sbin/ppp/usr/sbin/pppd/usr/sbin/sliplogin/usr/sbin/timedc/usr/sbin/traceroute/usr/sbin/traceroute6

44


Remove the ones I never use

You should never be vulnerable to the weaknesses of a feature you do not use.

-- Microsoft security goal


/bin/rcp/sbin/ping/sbin/ping6/sbin/shutdown/usr/X11R6/bin/Xwrapper/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/keyinfo/usr/bin/keyinit/usr/bin/lock/usr/bin/crontab/usr/bin/opieinfo/usr/bin/opiepasswd/usr/bin/rlogin/usr/bin/quota/usr/bin/rsh/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/chpass/usr/bin/login

/usr/bin/passwd/usr/bin/at/usr/bin/ypchsh/usr/bin/ypchfn/usr/bin/ypchpass/usr/bin/chsh/usr/bin/chfn/usr/bin/yppasswd/usr/bin/batch/usr/bin/atrm/usr/bin/atq/usr/local/bin/screen/usr/local/bin/sudo/usr/local/bin/lppasswd/usr/sbin/mrinfo/usr/sbin/mtrace/usr/sbin/ppp/usr/sbin/pppd/usr/sbin/sliplogin/usr/sbin/timedc/usr/sbin/traceroute/usr/sbin/traceroute6


/sbin/ping/sbin/ping6/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/crontab/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/login/usr/bin/passwd/usr/bin/at/usr/bin/chsh/usr/bin/atrm/usr/bin/atq/usr/local/bin/sudo/usr/sbin/traceroute/usr/sbin/traceroute6


Some should not need root, or shouldn’t be

setuidLeast privilege


/sbin/ping/sbin/ping6/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/crontab/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/login/usr/bin/passwd/usr/bin/at/usr/bin/chsh/usr/bin/atrm/usr/bin/atq/usr/local/bin/sudo/usr/sbin/traceroute/usr/sbin/traceroute6


/usr/X11R6/bin/Xwrapper-4/usr/bin/su/usr/bin/passwd/usr/bin/chsh/usr/local/bin/sudo



• Re-engineer these programs to lower their privilege requirements– (you’ve been complaining about this in

Microsoft software!)• (and justifiably so)

• Extra funding for reducing the size of the programs

• Must be done on many *nix distributions, not just your favorite one


AIX 4.2 & 242 & a staggering number \\BSD/OS 3.0 & 78 \\FreeBSD 4.3 & 42 & someone's guard machine\\FreeBSD 4.3 & 47 & 2 appear to be third-party\\FreeBSD 4.5 & 43 & see text for closer analysis \\HPUX A.09.07 & 227 & about half may be special for this host \\Linux (Mandrake 8.1) & 39 & 3 appear to be third-party \\Linux (Red Hat 2.4.2-2) & 39 & 2 third-party programs \\Linux (Red Hat 2.4.7-10) & 31 & 2 third-party programs\\Linux (Red Hat 5.0) & 59 \\Linux (Red Hat 6.0) & 38 & 2--4 third-party \\Linux 2.0.36 & 26 & approved distribution for one university \\Linux 2.2.16-3 & 47 \\Linux 7.2 & 42 \\NCR Intel 4.0v3.0 & 113 & 34 may be special to this host \\NetBSD 1.6 & 35 \\SGI Irix 5.3 & 83 \\SGI Irix 5.3 & 102 \\Sinux 5.42c1002 & 60 & 2 third-party programs\\ Sun Solaris 5.4 & 52 & 6 third-party programs\\Sun Solaris 5.6 & 74 & 11 third-party programs\\Sun Solaris 5.8 & 70 & 6 third-party programs\\Sun Solaris 5.8 & 82 & 6 third-party programs\\Tru64 4.0r878 & 72 & \\

Setuid-root



3) Fool a user (system administrator?) into executing your code while privileged


Modified versions of ssh client in user’s /bin directory

• Why was this ever executed. Did the bad guys change the PATH data

• Stuff like this can be checked regularly with an updated version of something like COPS.

• User’s are going to get this wrong (i.e. not notice it), and we are going to have to live with it


If the bad guys get a user account on your Unix system, they can

root the machine.

Game over.


Network security

Engineering secure systems from insecure parts?

Some assembly required


Secure computing requirements

• Secure client

• Secure communications

• Secure server

User

Client host(in Molvania)


Secure client

• You don’t have that

• You probably can’t have that

• It would be expensive and inconvenient if you do have it


Secure communications

• Got it! We won the crypto wars

• In June 2003, NSA said that a properly implemented and vetted version of AES is suitable for Type 1 cryptography!

• Ssh is not perfect, but it is holding up pretty well



• Formal methods for protocol design and verification

• This has been on some lists for a long time

• It is hard


Secure servers

• That’s your job

• Potentially doable

• You must mistrust all clients, even with strong authentication!


Review of security checkpoints

User




User


Front end



User


Front end

Big Iron



User


Front end

Big Iron

File server/File backup



User


Front end

Big Iron


Hacker


It is poor engineering to rely on the security savvy of the user base


Users are not going to pick passwords that are resistant to dictionary attacks. Period.

• Either don’t let them pick passwords– Inconvenient for the users– Not a panacea (see below)

• Or don’t give the bad guys a chance to run dictionary attacks---get out of the game– That means passwords are validated on

the server, not the client– Ssh agent keys get this wrong– Bank ATM cards get this right


Don’t let users pick passwords

• Machine can choose them. Then they get written down and/or forgotten. Not good, though post-it passwords don’t involve the usual threat models. Bad idea.– Password aging is a bad idea. Good

passwords are hard to think up and remember

• Use multifactor authentication, i.e. hardware tokens or one-time passwords


Hardware tokens

• It would be nice if the server end is open source

• The business model has never been one for global adoption

• Challenge/response form factor is the safest, but not accepted


OTPs are not a cure-all perfect

• I installed these at Bell Labs in the early 1990s

• “We never had an undetected break-in” – me

• “Yes, you did.” – Steve Branigan



User


Front end

Big Iron


Hacker


Case Study

My little home network


User base

• Me

• My family– (family members are like employees, from

a security standpoint)


Goals

• Easy experimentation on the Internet– No firewall for secure clients and servers

• Support for family computing– Shared file system– 140GB of family photos– Digital house support

• Experimentation with strong host security– Is it too hard to trade off convenience for

security? Skinny-dipping on the Internet

• Protect family databases


Threats

• Loss of data

• Loss of Saturdays

• Loss of face


Tools

• Very few network services

• Moderately-well understood OS (FreeBSD)

• Unsafe network services in chroot jails– Belt and suspenders

• End-to-end encryption, always– No kiosks for reading mail…– WAP and sniffed Ethernets not a problem

• Two factor authentication


More tools

• Network and host monitors for alien packets and changes to important files

• Lots of disk space (>1TB at home)– Onsite and offsite backups with rsync

over ssh


My home network

User


Family web serverShared files

File backup


Access rules

• Ssh only for non-web access

• Other services tunneled through ssh– With Unix or MSFT client

• Backup hosts unreachable from the outside, and from the server host

• I win if the backed up machines remain unhacked, and the file contents remain intact


Results

• Almost ten-year old experiment– No viruses, no break-ins– Was a mail relay for a few weeks

• Working quite well

• Daughter away at school has to follow same rules for home access– My email service for her was substandard

• Still need a good POP3S service for me Treo

• Cooperative user population makes all the difference


Case Study

Intellink


Caveat

• I have no current clearance

• I have received no briefings on Intellink


Intellink

• Described in James Banford’s Body of Secrets

• Imagine a distribution system for top secret information using search engines and Internet technology

• Given the known security “successes” of the Internet, how the hell would you implement such a thing with a reasonable expectation of security?!!


Some of my list

• Sealed client hardware– Client required to access the secrets– On-board crypto, that zeroizes when the

box is opened, or movement or light is detected inside the box

– No software updates or changes available in the field

– Virtual machines for different levels of classification. Linux implementation?

• Probably external hardware crypto as well


Client software

• Pick a browser, and spend a lot of money…– Ripping out unneeded features– Vetting the SSL implementation– Vetting the C compiler and libraries used


Server hosts

• Every server is registered

• Only registered servers allowed

• Network is scanned constantly for alien hosts and servers


Very strong user authentication

• Also, PKI and protected databases of who is authorized for what– Database is distributed among the

servers, no central repository

• Revocation lists, tight policies with employment office to kill dead accounts


Access only from within the intranet

• Perimeter security, tightly patrolled

• Firewalls (“guards”) to other networks, intensely engineered and constantly watched

• Intranet is wired with packet sniffers, IDS, etc.– Every anomaly is chased down– There is enough funding to do that

• If a virus appears, there is enough instrumentation to find out where it came from, and how far it got


Policy support

• A big mallet to use on non-compliant users– Spooks are generally little better than

normal users

• Mallet (which exists, for classified data) includes:– Official reprimand– Disconnection from the network– Dismissal– Criminal charges

• Accountability story at the NSA web site


I’ve talked to some spooks

• Obviously, this is an incomplete list

• Not all safeguards are implemented as well as I might hope

• These guesses, and others, are pretty close to the mark– They’ve spent hundreds of thousands of

dollars vetting software….Hmmm


Linux SE

• Mods came from the NSA

• Quickly implemented in public Linux systems

• This is a nice model, could we have more, please?



• See if some of the vetted software can be declassified and distributed

• Win-win funding situation for the public and the spooks

• Open source means you can trust the NSA!


How I Would Fix This*

* Given some money and a lot of clout


Secure servers and big iron, and

• Only allow connections from special client hardware

• Yes, I know this is probably not going to fly, but it is the only solution that would greatly improve the situation


A custom client computer is required

• Turnkey system

• No shell prompts, no root access, no network services

• USB key fob with PIN to login– Requires reinsertion now and then if

terminal is idle

• Tamper-resistant key/chip zeroizes if case is opened– Contact || light || motion detected


More on the client

• It only accesses the remote supercomputer cluster

• All access is over the network, and encrypted…ssh is good enough

• Can read data off a CDROM. Data only, no programs or patches installable

• This is a pain, and a little expensive: they won’t like this


The network

• Has end-to-end encryption. Ssh with public key, plus some sort of authentication when first logging on that requires the fob.


The server

• Since keeping users out of root is hard, each user gets his own virtual machine on the server

• He can run batch or interactive stuff.

• The server may be a front end to clusters or other hardware


Other mitigations

• Static kernel defeats loadable hacking modules– You do recompile your kernel from

sources anyway, don’t you?

• B1 systems– A further major administrative nightmare– But it could help a lot



• How can we chroot user-level programs?

• I don’t trust my browser, and would like to jail it

• Chroot doesn’t hack it

• There have been a number of papers on the topic, back over 10 years

• None are widely implements

• Browser plus jailing config file


Summary: we ought to win these battles

• We control the playing field

• DOS is the worse they can do, in theory

• We can replicate our successes

• We can converge on a secure-enough environment


Some successes

• Linux SE– Helpful feedback from NSA– I’d like to see a lot more of this

• Programs written by security fanatics– Postfix (mail transport)– Openssh (secure terminal sessions and

file transport)


A few projects

• Secure Debian

• OpenBSD and others

• NSF Cyber Trust looks promising

• Variety of other research operating systems


This is openssh

• One of the successes of the last decade

• Not quite perfect, but much better than the alternatives– No excuse to run telnet or ftp (except

anonymous) any more

• Yes, you can afford the overhead for crypto, even when moving terabytes– Thanks to Moore’s law, you are unlikely to

notice it


Software scales

• Linus can write a kernel

• Don Knuth can write a kernel

• Profit is not necessarily an obstacle to engineering the software we need

• LinuxSE


Executive Summary - I

• Internet security is still quite hard, and we are not very good at it

• Internet security is hardest when we are supporting a large number of users– If we can’t control their security, they

become the source of attacks

• Security is hardest in an open environment

• We don’t have hard answers, just mitigations

• Attacks like these will happen again


Executive Summary - II

• We’ve actually gotten noticeably better at Internet security in the past decade– Strong encryption is easy and can be

ubiquitous– Robust clients are increasingly possible– Much server software is stronger now– Microsoft is trying to clean up their act

• None of this is easy to explain to non-technical funders who read about it on the front page of the newspaper


Conclusion

The problem of secure computing in an open environment with many

users is unsolved, and it appears to be quite hard. The best we can hope for is gradual mitigation, converging on a safer world.


You will not see the end of this process,

nor are you allowed to desist from it

1 of 111 Cybersecurity Summit 2004 Some Thoughts on Network and Computer Security in an Academic...

Documents

Transcript of 1 of 111 Cybersecurity Summit 2004 Some Thoughts on Network and Computer Security in an Academic...