Documente Academic
Documente Profesional
Documente Cultură
Project 2 Due
Outline
General principles
Least privilege, defense in depth,
General Principles
Compartmentalization
Principle of least privilege
Defense in depth
Use more than one security mechanism Secure the weakest link Fail securely
Compartmentalization
Divide system into modules
Each module serves a specific purpose
Assign different access rights to different modules
Read/write access to files Read user or network input Execute privileged instructions (e.g., Unix root)
Example
Compartmentalization (II)
Defense in Depth
Failure is unavoidable plan for it Have a series of defenses
If an error or attack is not caught by one mechanism, it should be caught by another
Examples
Firewall + network intrusion detection
Fail securely
Many, many vulnerabilities are related to error handling, debugging or testing features, error messages
Main point
Do security analysis of the whole system Spend your time where it matters
Keep It Simple
Use standard, tested components
Dont implement your own cryptography
Qmail
Simpler system designed with security in mind Gaining popularity Qmail was written by Dan Bernstein, starting 1995 $500 reward for successful attack; no one has collected
mbox
mbox
Message composed using an MUA MUA gives message to MTA for delivery
If local, the MTA gives it to the local MDA If remote, transfer to another MTA
Example: Qmail
Compartmentalize
Nine separate modules If one module compromised, others not
Move separate functions into mutually untrusting programs
MUA
qmail-smtpd
qmail-inject
qmail-rspawn
qmail-lspawn
qmail-remote
remote mailserver
to local
Structure of qmail
qmail-smtpd qmail-queue Incoming SMTP mail qmail-send qmail-rspawn qmail-lspawn Other incoming mail qmail-inject
qmail-remote
qmail-local
Structure of qmail
qmail-smtpd Splits mail msg into 3 files
Message contents 2 copies of header, etc.
qmail-inject qmail-queue
qmail-send qmail-lspawn
qmail-remote
qmail-local
Structure of qmail
qmail-smtpd qmail-send signals
qmail-lspawn if local qmail-remote if remote
qmail-inject qmail-queue
qmail-send qmail-lspawn
qmail-rspawn
qmail-remote
qmail-local
Structure of qmail
qmail-smtpd qmail-queue qmail-inject
qmail-send qmail-lspawn
qmail-lspawn
Spawns qmail-local qmail-local runs with ID of user receiving local mail
qmail-local
Structure of qmail
qmail-smtpd qmail-queue qmail-inject
qmail-send qmail-lspawn
qmail-local
Handles alias expansion Delivers local mail Calls qmail-queue if needed
qmail-local
Structure of qmail
qmail-smtpd qmail-queue qmail-inject
Least privilege
qmail-smtpd qmail-inject qmail-queue
setuid
root
qmail-remote
qmail-local
root
root
inetd qmaild
qmail-start
Start qmailsend & queue management
UIDs
user
qmail-smtpd
qmail-inject
qmail-queue
setuid
qmail-send
qmailr qmails
qmails
qmail-rspawn
qmail-lspawn
setuid user
root
root
user
qmailr
qmail-remote
qmail-local
Parsing
Keep it simple
Libraries
Avoid standard C library, stdio
Write bug-free code (DJB)
Comparison
Lines qmail-1.01 sendmail-8.8.8 zmailer-2.2e10 smail-3.2 exim-1.90 16028 52830 57595 62331 67778 Words 44331 179608 Chars 370123 1218116 Files 288 53 227 151 127
272084 2092351
Validate input
Respond judiciously
Secure Programming
Validate all your inputs
Command line inputs, environment variables, CGI inputs,
Don't just reject bad input, define good and reject all else
Backup Slides