System Security
Capabilities and Uses
(Some Things To Look Out For)
Glenn C. Everhart
(Everhart@star.enet.DEC.Com, Everhart@GCE.Com)
Digital Equipment Corp.
�
System SecurityCapabilities and Uses
Securing A System
Facets:
Authentication (being sure a user is who he says he is)
Access Control (What the user may do)
Audit (Record keeping in case "something happens")
...all in accordance with a policy and security model.
(Dominant security model is military.)
Authentication:
OpenVMS, UNIX, WNT all use passwords for local system.
Networks pose a threat; knowing your user over a large
area is vulnerable to many problems.
- 2 -
�
System SecurityCapabilities and Uses
Threat: (a short list of general types)
Wiretaps (including ethernet "hardware assisted tap")
(also Tempest types, for completeness)
Untrustworthy hosts
Untrustworthy protocols
Untrustworthy programs
Wiretaps:
Ethernet packet grabbers are the most common wiretap class
threat.
Countermeasures:
TDR (to find unauthorized taps)
routers (keep traffic off wires where it isn't needed)
Use of FDDI (which has no promiscuous mode)
Specialty boxes like DESNC
- 3 -
�
System SecurityCapabilities and Uses
Untrustworthy hosts:
Any host with a dishonest person who can control it. C
spoof addresses or protocols. Many attacks on IP exist
routing level. DECnet host names can be forged:
Countermeasures:
For DECnet, node SEND and RECEIVE passwords for each
node (and default access NONE; set access for each
machine.)
Kerberos or similar authentication suites
NOTE HOWEVER that published TCP attacks exist which
threaten even Kerberos traffic if someone in
the middle can sniff the net between two point
trying to use it.
- 4 -
�
System SecurityCapabilities and Uses
Untrustworthy protocols:
Many common protocols like NIS (YP), NFS, have
holes which permit anyone who can access them to gain
access. The X windows protocols can be particularly
vulnerable (depending on transport and authentication
options.) Freely available programs can connect to an
server and ask it to report keyboard events. ANY acces
the node (if tcp/ip) means all key strokes can be read
(passwords...). X has no built in security; OS is expe
do it. Note again that TCP/IP reports only source mach
DECnet reports machine and user, a bit better. It has
reported that NetBEUI allows NO security control under
- 5 -
�
System SecurityCapabilities and Uses
Know Your System Limitations.
Remember that NT, OpenVMS, UNIX are only C2 certified
standalone systems; NOT on a net. Many protocol pro
have been reported (e.g. no security in MS Access, at
one time, NT Netware implementation doesn't ask for pa
for nonexistent accts).
Systems that have been around longer have fewer proble
(For some details on MS OSs, http://www.c2.org/hackmso
among other sites.) Microsoft is working on a crypto b
authentication hierarchy system. Also, various other s
protocols exist for authentication, file sharing, etc.
the ones below are most commonly used.
A little detail on some of these.
- 6 -
�
System SecurityCapabilities and Uses
NFS (Network File System)
NFS is "the" filesharing method in UNIX. Used also in OpenVMS
Vulnerability #1:
NFS checks its authorization to move data only at open, and do
not check the integrity of the transfer. Anyone who ca
trick TCP/IP into routing through them (or who can sen
data fast enough on a LAN) can corrupt files. This has
been used to insert Trojan horses in critical files,
corrupting even critical Kerberos code.
Note that DECnet FAL transfers have an end to end CRC which pr
this, and DECnet+ has an option to do end-end checksum
on everything.
NFS authentication is usually via UNIX style" IDs which requir
all systems to have the same ID (number) to name mappi
- 7 -
�
System SecurityCapabilities and Uses
(from a recent vmsnet.networks.tcp-ip.multinet article:)
Access to files via NFS is via UNIX-style UID/GID. An NFS clie
learn the UID/GID that a user is supposed to use by (1
local file which contains username (such as passwd on
or the NFS configuration information on (e.g.,) a Mult
client), or (2) by sending a username/password to a PC
server, which authenticates the username/password and
with the UID/GID.
Now, if someone with lots of time on their hands (a student, l
say their NFS client enough, they'll eventually find s
of causing NFS to emit any UID/GID they wish. Exact me
are left as an exercise for the reader. The "solution"
setup mount restrictions, so only "trusted" NFS c cert
mountpoints (directory trees).
Countermeasures:
Cryptographic authentication options and systems, to handle
authentication. Securing data really requires encrypti
any part of the data travels over untrusted wires. Eth
are very frequently not trustworthy.
Some protocols have optional authentication which is not widel
Try AFS (or DCE/DFS), which were designed for much stronger
security.
NIS (See D. Hess, D. Stafford, U. Pooch, Texas A&M
NIS (formerly Yellow Pages) is a protocol that propagates user
ID to number mappings (and others) around a net and do
authentication.
NIS is based on RPC (Remote Procedure Call. RPC authenticatio
defaults to none. It may use "UNIX" authentication or
(which encrypts timestamps).
- 8 -
�
System SecurityCapabilities and Uses
NIS config files are world readable, since NIS doesn't alter
the maps. Client security can be very poor.
Any machine on the net can pretend to be the NIS server (easy
if UDP is used for transport, as is usually done). The
NIS server need only beat the real one to the draw and
claim anyone is a legitimate, privileged user on anoth
With the "R" utils this can get any access a client allows to
user (for example). The client can't find out.
Since EVERYTHING tends to use NIS, this means all authenticat
gets broken. Even breaks DES (since the server is wher
keys come from).
Countermeasures:
Kerberos is stronger.
- 9 -
�
System SecurityCapabilities and Uses
DNS (Domain Name System)
Many TCP/IP programs use authentication by name, not I
address. The DNS does this mapping. It's distributed.
The problem is that one can fake being a DNS server, a
cache is used to store DNS names. Current algorithms
can be lied to, and one DNS response can "piggyback" e
extra info so the IP to name AND the name to IP maps c
be corrupted at one time in the local DNS cache. This
name based authentication can be compromised, and any
"distributed trust" authenticated only in this way can
defeated.
Defences:
No generic defenses exist. If the DNS code would prefe
authoritative cache data over non-authoritative, and
caches didn't replace old data with any new data, the
attack would be harder. Crypto DNS systems may help.
Someday.
- 10 -
�
System SecurityCapabilities and Uses
Note also that attacks on most IP protocols exist and
been reported years ago. Some just haven't gotten into
wild yet. The recent spate of SYN attacks, mailbots,
cancelbots, etc. is the tip of the iceberg.
Be very careful what you trust off your machine. Again
this is TCP/IP specific. DECnet, for example, has othe
issues with people faking nodenames, and you fight tha
by ALWAYS using link passwords for access (and set def
access to none).
This sort of attack is most common in TCP/IP in part b
of its ubiquity and wide source availability.
- 11 -
�
System SecurityCapabilities and Uses
Untrustworthy programs:
This refers to programs with covert behavior,
particul "Trojan horse" apps that do secret things whe
ar run with privs.
Countermeasures:
KNOW YOUR SOURCES !!! This is not a panacea for all se
problems, but makes vandalism much less likely. Someth
like Internet Explorer, for example, is very complex a
has been reported to have bugs able to disclose anythi
its machine, though this was doubtless not the authors
Run in a nonprivileged environment, and use tools like
SET WATCH (shows file accesses tried), FTS (on VAX) to
what system services are used (and fake $setpr optiona
or system service intercept by Brian Schenkenberger (s
sigtapes) which is suitable for $setprv, $gettim, and
intercepts fo selected processes. Watch for $getjpi, $
calls to set privs, or ask why $gettim may be called.
hard cases, DISM32 or similar tools can be used to rec
MACRO-32 if on VAX. ($Getjpi priv read or $gettim bomb
Try to arrange never to run untrusted code under a priv'd
process. An access ACE and an audit listener mailbox c
can be built to attempt to enforce this. (A pre-activa
checker is better still.)
Authentication of scripts for tampering is a good idea if
you can do it. In OpenVMS, Network-1 has a tool. Run a
checker periodically to look for tampered with code. W
stop access, but will tell you about it before you're
for long. Polycenter has one. UNIX tools at CERT help
Limit what unknown programs can do. The subsystem
facility of OpenVMS can limit a program's access if se
- 12 -
�
System SecurityCapabilities and Uses
right. A 3rd party product can further limit access by
privs, time, image, user, location, and "trustworthine
rating" and prevent accidental privilege grants and ch
file corruption. With such a system in place, files
protected cannot be accessed by Trojan code, since the
Trojan code cannot be given privs to do damage.
Know the capabilities of your system.
- 13 -
�
System SecurityCapabilities and Uses
User Authentication:
The key to system access is to have an identity the system
knows.
* Passwords when interactive. (Challenges, secure channels...)
USE the "evasion" features in your system
if you have them. USE password policy model
and checkers to be sure passwords are strong.
Pick good pass-phrases; do not force frequent
change (becomes algorithmic or is written down).
* Some distributed trust mechanisms exist. Examples:
* DECnet proxies, "R" utilities
EXTREME care in proxy access with privs
Use FAL$LOG=1/disable=8 (DECnet IV)
* "R" utilities (trusted users or hosts)
EXTREME care in this for anyone who can
become superuser, system, or administrator (UNIX, OpenVMS,
- 14 -
�
System SecurityCapabilities and Uses
* Routing information (network firewalls).
Several CERT advisories about this. Some
documented IP attacks still exist that have
not yet been seen in the wild.
Trust hosts sparingly.
* Most systems assume programs run under a user's name are to
be treated as agents of that user. For the most part
OpenVMS, UNIX, and NT check user access, not user/program.
Extended checking software features can be
helpful with the most critical data.
The "military model" is inadequate for
control of "insiders" and does not
encode "need to know". Only username
is generally used, but location,
program used, priv level, time, and
various other info exists, could be
used to specify what's allowed.
* Automatically downloaded software (Java, ActiveX, etc.)
needs an extended definition of security. The OpenVMS
"subsystem" facility begins to address this. (The 3rd
party "Safety" tool "paranoid mode" goes further.)
MANY holes have been reported in Java (see Dean, Felto
Wallach, Princeton Univ. CS dept. 1996). The issue is
an automatically downloaded app cannot sensibly be cal
"agents" of the user running a web browser. To provide
security, ActiveX attempts to ensure that the sender's
identity is known. This (if do-able) makes virii less
likely, but does not mean that a program might not be
to copy or alter data on a machine. Thus the ActiveX s
helps the common "PC" problem but not the commercial
security major issues. From the Java FAQ:
Q: Won't digital signatures solve all the problems?
A: No, they'll only help a little. Digital signatures let you
- 15 -
�
System SecurityCapabilities and Uses
who wrote an applet, but they don't decide if you can
the author.
Nor do they help you decide how secure the author's work is ag
things like information theft using it. (Recall the IE
holes in a complex package may allow misuse even from
best known sources.)
- 16 -
�
System SecurityCapabilities and Uses
Java holes in implementation have been reported. However, deep
problems exist, among them:
* There is no formal security policy for Java.
* There is no logging of security events in Java.
* There is no trusted computing base.
* There is no single line of defense, but security fun
are spread all over the code.
* The bytecode verifier is impossible to check for sec
* Java is a language and a security barrier. The polic
for these two objectives are not the same.
* At least a few covert channels exist which can be us
send information or subvert the Java security system.
It seems likely that a rework of Java would be needed to provi
a secure technology. Javascript is also vulnerable.
The stronger the underlying OS's abilities to guard your data,
you are using tools like Java or ActiveX, if those too
used. OpenVMS can be set up more robustly than most.
- 17 -
�
System SecurityCapabilities and Uses
The most common security threat:
"Social Engineering" (i.e., plain old deception of humans) is
a serious threat. (Watch someone type a password, or
get a password changed over the phone or print & mail
a document...)
Some forms of these threats can be helped
where clerks are duped, IF the clerks are
themselves limited in how they can get
information. Education and auditing are
needed too.
Responses To Threats:
* Educate your users.
* Idle account reuse
Clean out all residues of accounts (includimg
ACEs) promptly. NT user ID is never reused.
(DISUSERing an acct can be better sometimes
detect attempts at reuse.)
* Spoofing or untrustworthiness of something on
another machine. Authenticators can be added for some
of access, to ensure you're dealing with the user and
machine you think. The better ones encrypt their traff
They can also be use permit safe access by category to
you need to share internally but not all over. Firewal
internally can be very helpful if community topology a
* Weak default protections
Run checkers like COPS or any of several on
the sigtapes for OpenVMS, or the Polycenter too,
to test. (The WNT security FAQ is on the OpenVMS/LT sigtape
Volume protections to isolate classes of users
work like mandatory controls. If someone cannot
access the volume, they can't get any file on
it. Virtual disks help here. On OpenVMS you can
- 18 -
�
System SecurityCapabilities and Uses
use volume ACLs to isolate volumes from, say,
network access.
If information is private, use a cryptodisk, and for safety
keep the key value locked in a safe. (You might get run ove
by a truck, after all.)
- 19 -
�
System SecurityCapabilities and Uses
Access Control:
Access control means the facilities the system uses to control
who gets what access to what objects.
OpenVMS, UNIX, and WNT all rely on a user name which becomes a
magic cookie.
* In UNIX and WNT, a user can belong to many groups
(sometimes limited to a fixed maximum number like 8 or
Access to objects can be as the user, or as a group me
* OpenVMS allows a user to hold many rights identifiers (as
many a desired). Access can be as the user or as a hol
an identifier.
* Both OpenVMS and WNT have notions of privileges which bypass
security checks; details are different and some WNT
privileges are relevant to certain utilities only. UNI
a single privilege, "Superuser" for all functions. Ope
UNIX have notions of specially-trusted applications (i
with privilege or with suid/sgid privilege). (OpenVMS
"install with identifier" notion, the subsystem facili
File Access:
* File access in OpenVMS and UNIX can be specified with a
"UIC" shorthand (descended from pdp10 Monitor conventi
giving a user or group number. OpenVMS and some modern
UNIX versions also support ACLs.
* WNT has no "UIC" heritage but inherits the MSDOS file
protection scheme in addition to its ACLs. This overri
ACL protections if present.
* OpenVMS allows files in a directory to have a default ACL
- 20 -
�
System SecurityCapabilities and Uses
copied to files as they are created. WNT allows defaul
in parent directories as well as a default user ACL. O
does not have a default per-user ACL. File ACLs in WNT
be inherited from parent directory OR user default.
* WNT allows some limited "SYSTEM" ACL entries to exist
for limited purposes (i.e., audit). OpenVMS has the no
protected ACE which may also be hidden. These OpenVMS
are fully general, not only for auditing.
- 21 -
�
System SecurityCapabilities and Uses
* Major difference: OpenVMS stores security information with
the file (in the header, actually). WNT stores it sepa
in a "registry".
OpenVMS approach means the security information comes
"along for the ride" during file access. Thus access is fast.
When trying to remove a user, removing all ACLs that
mention that user can be a chore. (Tools on the SIG tapes exi
WNT approach makes management easier.
Cache can attempt to reduce overhead of lookup of
security information.
Where a file has no security information, its ancestors
are examined. Thus only one ACL might cover a large
part of a volume, many directory levels deep.
* Access controls:
UNIX: Read, Write, Execute, SUID, SGID
OpenVMS: Read, Write, Execute, Delete, Control
WNT: Read, Write, Execute, Delete, Control, TakeOwners, Read-A
- 22 -
�
System SecurityCapabilities and Uses
* Impersonation services exist in both systems, for use by
trusted servers. Capabilities are generally similar
* Correct setup rules of thumb, OpenVMS OR WNT:
Back up data often enough and GUARD the BACKUPS
Protect what is important most carefully
Be sure default accesses correspond to policy
Important Differences of Detail between OpenVMS and WNT
* Registry vs. security info with object
* ACLs only, with inheritance and user defaults, vs. ACLs and
* Details of ACLs and privileges differ
* WNT default if no ACLs are present is completely open
* WNT also defaults to a "guest" account requiring no
prior authentication at all.
- 23 -
�
System SecurityCapabilities and Uses
Audit
* OpenVMS and WNT have facilities for audit of security
related events.
* OpenVMS facilities are well developed
* Problem of audit is volume of data.
* Several products exist to use the "listener mailbox"
of OpenVMS Audit to report suspicious actions in c
to real time.
* Audit can tell when the horse leaves the barn and
what is going on. This is only useful for some threats
* Pattern matching in console input watchers can
also respond to snooping for info around the system.
* A "security patrol" is worth having if you can.
Keep audit trails, offsite if possible. Keeping audits
on write-once configurations worth thinking about.
- 24 -
�
System SecurityCapabilities and Uses
Conclusion:
* Know and control your user population and its permissions
* Avoid untrusted protocols
* Check your security against local policy with tools, commerc
or free
* "Walk the beat" to look for strange things
* Set up access permissions, especially on critical data,
to allow only what is needed for people to do their
jobs
* Consider resetting default permissions if they are too loose
for your policy.
- 25 -
�
System SecurityCapabilities and Uses
- 26 -