UP | HOME
2019-09-22 | ../../

Lab: Software without Security Holes #2

Table of Contents

1 Background

  1. Should have completed Lab on Software without Security Holes #1
  2. System Programs: mount, fusermount, sudo, su, passwd, chsh, … We expect these to be free of security holes.
  3. Example ordinary/ non-system programs/ utilities: cat, ls, date, make, and even login, bash, ash, dash, csh, zsh and other shells. [I suppose we could relax our expectations on these.]
  4. http://cwe.mitre.org/data/definitions/264.html CWE CATEGORY: Permissions, Privileges, and Access Controls

2 Tasks

2.1 Task: Experience A Past Exploit: ShellShock [20 points]

  1. Background: Learn about ShellShock 2014 bug in bash. Older versions of Bash can be tricked into executing arbitrary commands. Study these:
    1. https://en.wikipedia.org/wiki/Shellshock_(software_bug)
    2. https://www.sophos.com/hu-hu/lp/bash-shellshock.aspx
    3. https://www.owasp.org/images/1/1b/Shellshock_-_Tudor_Enache.pdf 25 slides,
  2. Background: ShellShock:: CVE-2014-6271 "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the modcgi and modcgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix." [Refresh your hold on bash syntax and usage.]
  3. Background: ShellShock Further Refs
    1. https://www.us-cert.gov/ncas/alerts/TA14-268A;
    2. https://www.cybrary.it/0p3n/shellshock-all-you-need-to-know-about-the-bash-bug-vulnerability/
    3. https://security.stackexchange.com/questions/68448/where-is-bash-shellshock-vulnerability-in-source-code
  1. [5 points] Check if bash, as is, in a modern Linux has this vulnerability. Include details of the bash version. Describe in detail how you checked. Develop a detection script.
  2. [15 points] Download a version claimed in the articles above as being vulnerable from http://ftp.gnu.org/gnu/bash/, which has older and current versions of bash. Build it. Rename the current /bin/bash as /bin/bash-orig . Install the one you built as /bin/bash. Verify that this version of bash has the vulnerability. Include details of the bash version you installed. Describe in detail how you verified. Develop a script that demonstrates.

2.2 Task: System Program fusermount [20 points]

  1. Background: FUSE and fusermount https://en.wikipedia.org/wiki/Filesystem_in_Userspace Filesystem in UserSpace. Read man fusermount. Required Reading.
  2. Background: Study FUSE documentation from within the kernel source tree: https://www.kernel.org/doc/Documentation/filesystems/fuse.txt,
  3. Background: CVE on fusermount: Become aware of CVE-2018-10906. "fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow-other' mount option regardless of whether 'user-allow-other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects." [We will try to revisit this topic after SELinux lectures.]
  4. Background: CVE on fusermount: Become aware of CVE-2015-3202 "fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNTMTAB environment variable that is used by mount's debugging feature."
  5. HeartBleed:: Discovered in 2014, about the same time as shellshock. The bug is in SSL networking. Not part of this course.
  1. [15] Download from https://github.com/libfuse/libfuse. Build it, following the Installation guide. Become familiar with its files. Understand security-implications.
  2. [05] Check that the just built fusermount works. Describe in detail how you verified. Develop a script that demonstrates.

2.3 Task: CERT Coding Guides [20 points]

  1. Coding Guides:: For C and C++: Part of this course. For Java: Not part of this course.
  2. What is the role of a computer emergency response team? A Computer Emergency Response Team (CERT) is a group of information security experts responsible for the protection against, detection of and response to an organization's cybersecurity incidents. [web search result, June 2019] [There is a CERT in many countries.]
  3. Background: Become familiar with CERT Coding Guide on C. Understand the following coding rules deeply.
    1. EXP39-C. Do not access a variable through a pointer of an incompatible type
    2. EXP45-C. Do not perform assignments in selection statements
  1. Analyze, manually, the source code of fusermount.c for any violations of the above rules. Discover and explain at least two violations.

2.4 Task: Assert fusermount [20 points]

  1. Background: Learn assert.h. https://en.wikipedia.org/wiki/Assert.h
  1. Give an entry assertion, an exit assertion, and a loop invariant for two non-trivial (> 15 SLOC) functions/ procedures of fusermount.c.

3 Tasks: [Bonus][Optional]

3.1 Task: Static Analysis Tool LLVM Clang-Analyzer [20 points]

  1. Background: https://clang-analyzer.llvm.org/ LLVM Clang-Analyzer
  2. Background: http://btorpey.github.io/blog/2015/04/27/static-analysis-with-clang/
  3. Background: https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Clang_static_analysis
  1. Analyze, using scan-build, the source code of fusermount.c. Report on your findings.

3.2 Task: CodeChecker [20 points]

  1. Background: https://github.com/Ericsson/codechecker CodeChecker is a static analysis infrastructure built on the LLVM/Clang Static Analyzer toolchain, replacing scan-build in a Linux or OS-X development environment.
  1. Analyze, using codechecker, the source code of fusermount.c. Report on your findings.

3.3 Task: Comparative Review [20 points]

  1. Write a comparative review of the tools used in this lab, and in previous lab SecSoftware#1. Ok to do the write up based just on reading about the tools, but it is better if it based on experience of having used them long enough.

4 Submission

  1. [10 points] Lab Report quality.
  2. You must follow the Lab Report Template. There should be a section on each of the tasks. A couple of lines of an answer to each (implied/ explicit) question/ discussion item. Must number it as in this document.
  3. Use good judgement and do not make the report way longer than, say, 20 pages. Submit explanations and code that verifies your answers.
  4. [10 points] Include a journal. By the hour.
  5. Submit a PDF file named exactly Report-Lx.pdf [x is a single digit; lookup the value of x on the home page], and a tarball Lx.tbz [use tar cfjvv Lx.tbz source-files* ]. (Scripts are used to check various things – so file names should obey such "rules".)

5 References

  1. Prabhaker Mateti, Software Development without Security Holes, 2019. Required Reading.

6 End

Copyright © 2019 www.wright.edu/~pmateti • 2019-09-22