Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Executing Code with Too Much Privilege CS CE 548 ST UDENT P R E S E NTATIO N KAT HE R I NE A U ST IN J U LY 26 , 20 1 6 Introduction • Computer Information Systems (CIS) major. • Returned to complete my bachelor’s degree after 19+ years. Only 6 classes to go! • Full-time SCANA employee for the last 18 years. • Currently a senior software engineer in their IST department. Ok, enough about me. On to the presentation! CSCE 548 Presentation – Katherine Austin Agenda • Technical Overview of the Problem • Examples • Detection Methods and Prevention • Conclusion • References CSCE 548 Presentation – Katherine Austin Technical Overview of the Problem What do we mean by code executing with too much privilege? • Software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.[2] • High privilege – any process that is capable of performing sensitive operations. [1] • Low privilege – processes running under accounts that are taskconstrained. [1] CSCE 548 Presentation – Katherine Austin Technical Overview of the Problem (cont.) New weaknesses can be exposed because running with extra privileges, such as root, Administrator or Local System, can disable the normal security checks performed by the operating system or environment.[2] Typically web and application systems execute using these privileged accounts. When running as root or Local System, the processes and the code on top of these processes run with all of the rights of these users. Malicious code will execute with the authority of the privileged account, thus increasing the possible damage from an exploit. [2] CSCE 548 Presentation – Katherine Austin CSCE 548 Presentation – Katherine Austin Example #1: Code to create new user folder Issue: If the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. The program runs in a raised state indefinitely. [2] CSCE 548 Presentation – Katherine Austin Example #2: Apache Tomcat The above allows members to be able to start/stop tomcat. [5] Issue: If the startup script is writable by anyone other than root, the users can insert commands into the script and have them run as root. Very big security risk! CSCE 548 Presentation – Katherine Austin Detection Methods & Error Avoidance • Manual Analysis • Penetration testing • Threat modeling • Interactive tools that allow the tester to record and modify an active session. • Black Box • Monitoring tools to examine software processes as it interacts with the operating system/network. • Attach the monitor to the process and perform a login. • Look for library functions/system calls to see where privileges are being raised/dropped. • Look for resource accessibility that is restricted to normal users. CSCE 548 Presentation – Katherine Austin Detection Methods & Error Avoidance • Inventory all accounts with privileged access and assign ownership. • Minimize the number of privileged accounts. • Shared account passwords must not be shared. • Limit scope for each privileged account. • Never assign superuser privileges to user accounts. Instead, use privilege elevation to allow temporary execution of privileged commands. • Monitor and reconcile all privileged access activity. CSCE 548 Presentation – Katherine Austin Conclusion • Tighten user access levels. Plan for least privilege early in the development cycle. [4] • DO NOT run your code with administrative or root capabilities just to get everything running. Run your code with the lowest possible privilege. [4] • Grant the minimum level of privileges required to carry out a task and limit the time where possible. [4] • If using a database system, limit the rights of the database account that the application uses. CSCE 548 Presentation – Katherine Austin References [1] Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, 2010. Print. [2] "Common Weakness Enumeration." CWE -. N.p., n.d. Web. 22 July 2016. https://cwe.mitre.org/data/definitions/250.html [3] "Access Control." OWASP. N.p., n.d. Web. 22 July 2016. https://www.owasp.org/index.php/Category:Access_Control. Last updated 1 June, 2016. [4] Singh, Anmol. "Twelve Best Practices for Privileged Access Management." Twelve Best Practices for Privileged Access Management. Gartner, 08 Oct. 2015. Web. 22 July 2016. https://www.gartner.com/doc/3145917/best-practices-privileged-accessmanagement. [5] Tomcat Wiki. Apache Tomcat, 09 Dec. 2015. Web. 22 July 2016. https://wiki.apache.org/tomcat/HowTo. CSCE 548 Presentation – Katherine Austin