Security Attack Penetration

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
Line 6: Line 6:
a) the level of expected risk, and
a) the level of expected risk, and
b) the expected probability of finding problems.
b) the expected probability of finding problems.
-
 
-
---------------------------------------------------------------------------
 
Bull plans to work on the following:
Bull plans to work on the following:
Line 16: Line 14:
  In 1H2006:
  In 1H2006:
   3) Modify Client side for attacking Server
   3) Modify Client side for attacking Server
-
 
== 1) Analyze the source code ==
== 1) Analyze the source code ==
Line 56: Line 53:
         In general, the length is passed on.
         In general, the length is passed on.
         So memory overrun problems should not appear
         So memory overrun problems should not appear
-
+
 
Comment from Bruce Fields:
Comment from Bruce Fields:
   strcpy seems relatively rare in the kernel sources. (I just
   strcpy seems relatively rare in the kernel sources. (I just
Line 64: Line 61:
         making sure the length passed to it is always verified in
         making sure the length passed to it is always verified in
         some way.
         some way.
-
+
 
VH  e) Search for fixed-sized arrays filled with dynamic-sized data
VH  e) Search for fixed-sized arrays filled with dynamic-sized data
           - buffer-overflow
           - buffer-overflow
Line 102: Line 99:
               - glibc, rpc-sec, kerberos : already analyzed
               - glibc, rpc-sec, kerberos : already analyzed
               - focus on: idmap (ldap), libgssapi
               - focus on: idmap (ldap), libgssapi
-
+
 
Comment from Bruce Fields:
Comment from Bruce Fields:
         Most of the libraries we use (glibc, MIT kerberos) are
         Most of the libraries we use (glibc, MIT kerberos) are
Line 126: Line 123:
== 2) Run dynamic tests ==
== 2) Run dynamic tests ==
-
+
 
  H  a) User-land: Search for existing memory overflows with DUMA:
  H  a) User-land: Search for existing memory overflows with DUMA:
-
+
 
  H  b) Kernel-land: Same, but with low-level tools (kdb, print, ...)
  H  b) Kernel-land: Same, but with low-level tools (kdb, print, ...)
-
+
 
Comment from Bruce Fields:
Comment from Bruce Fields:
         For the kernel: one simple thing to do is to check
         For the kernel: one simple thing to do is to check
Line 140: Line 137:
== 3) Modify Client side for attacking Server ==
== 3) Modify Client side for attacking Server ==
-
+
 
     a) Modify: NFSv4, RPC, TI-RPC, TCP/IP, gss source code
     a) Modify: NFSv4, RPC, TI-RPC, TCP/IP, gss source code
-
+
 
     b) Use code of Python Client (rather than C client)
     b) Use code of Python Client (rather than C client)
-
+
 
Comment from Bruce Fields:
Comment from Bruce Fields:
         I've cc'd Fred Ismaan (iisaman@citi.umich.edu), who maintains
         I've cc'd Fred Ismaan (iisaman@citi.umich.edu), who maintains
Line 174: Line 171:
     a) It supposes the client can be routed to a NFSv4 pirate server
     a) It supposes the client can be routed to a NFSv4 pirate server
                 (fs_location or DNS attack)
                 (fs_location or DNS attack)
-
+
 
     b) Are there possibilities to crash the client machine or
     b) Are there possibilities to crash the client machine or
                 to corrupt system data ?
                 to corrupt system data ?

Revision as of 14:51, 7 December 2005

This document summarizes a study of the "Attack and Penetration" risks within NFSv4. A list of tasks is given, with priorities.

Priority (Very High, High, Medium, Low, Future) of each item is based on: a) the level of expected risk, and b) the expected probability of finding problems.

Bull plans to work on the following:

In end 2005:
  1) d) Search for dangerous functions, in NFS, RPC, TI-RPC, gss, idmap.
  2) a) Search for Memory Overflows in user-land code with DUMA
  2) b) Search for Memory Overflows in kernel-land code (kdb, print)
In 1H2006:
  3) Modify Client side for attacking Server

Contents

1) Analyze the source code

H  a) In NFSv4, RPC, TI-RPC, IPv6
      - Aurélien will focus on TI-RPC analysis
      - Chuck should be the right person to do the IPv6 review

   b) On server and client sides

   c) In user and kernel lands.

Comment from Bruce Fields:

 We were asked to suggest a few places to start looking. In the server
 kernel code, the data received from the client goes into rqstp->rq_res,
 so we're particularly interested in what happens to data taken from
 there.  The server does the first simple parsing of the rpc header in
 net/sunrpc/svc.c:svc_process(), which then it calls svc_authenticate,
 which does further parsing of the rpc headers.  Then it calls
 vs_dispatch to process the request body.  In our case vs_dispatch is
 fs/nfsd/svc.c:nfsd_dispatch(), and the function it will usually call
 to parse an NFSv4 request is
       fs/nfsd/nfs4xdr.c:nfs4svc_decode_compoundargs().
 In the process of doing the decoding, various bits of information
 (filenames, usernames, etc.) will be preserved for later use by
 fs/nfsd/nfs4proc.c:nfsd4_proc_compound(), and it will be useful to
 examine carefully how that information is treated.
H  d) Search for dangerous functions
         - User-land: strcpy, ...
         - Kernel-land: memset, memcopy, ..

     A candidate list (from some paper about improving security):
       gets scanf sprintf strcat strcpy mktemp system vsprintf
     Also, when appearing in a loop:
       getc fgetc getchar

       Focus on data coming from the userland (memcopy ...).
       In general, the length is passed on.
       So memory overrun problems should not appear

Comment from Bruce Fields:

 strcpy seems relatively rare in the kernel sources. (I just
       checked and only found one use in fs/nfsd, 4 in fs/nfs,
       and 4 in net/sunrpc.
 memcpy is more common, and it may also be worth searching for, and
       making sure the length passed to it is always verified in
       some way.

VH e) Search for fixed-sized arrays filled with dynamic-sized data

         - buffer-overflow
         - Kernel: page overflow
       Pages: the system dynamicaly allocates 4k buffers
       Problems of memory corruption have the highest priority.
H  f) Check that lengths are always passed when passing data
            from user-land to kernel-land.
H  g) Search for possibly (too) large names of files
         - Check symbolic links (paths)
       Example of string that can be sources of problems: symlinks.
M  h) Search for problems related to ACLs (more than 35 rules ?)
         - Why this 35 limit ?
         - In user-land on client-side, check the client cannot
              corrupt ACL data.
       We have to make sure that the ACL supplies have good format, so
               verify that we do not have any corrupted data.

Comment from Bruce Fields:

       Trond has pointed out that attribute parsing in general is
       pretty complicated in NFSv4, so getattr, setattr, verify,
       nverify, etc., may be worth a careful look.
F  i) Search for problems related to Named Attributes
         - large or/and numerous Named Attributes
M  j) Check all return codes are handled
         - WRONG_SEC: (error that could be generated if client
               and server have different security flavors.)
           Not really dealing with security problems.
H  k) List and analyze libraries used by NFS, RPC
         - User-land:
              - glibc, rpc-sec, kerberos : already analyzed
              - focus on: idmap (ldap), libgssapi

Comment from Bruce Fields:

       Most of the libraries we use (glibc, MIT kerberos) are
       widely used and (hopefully) have already been subject to a
       lot of scrutiny.  But it might be worth examining the libraries
       we've written or modified:
               libnfsidmap, libacl, libgssapi, and librpcsecgss. 
       Some of those are more mature than others.
       Before that you probably want to look at the code for the
       userland daemons in nfs-utils.

Comment from Kevin Coffman:

       I agree with Bruce.
       librpcsecgss (and libacl) should be moved/added to the list to focus on.
H  l) Analyze daemons
         - Focus on gssd and idmapd

Comment from Kevin Coffman:

       Note that there is a gssd and a svcgssd.
       They share a lot of code, but should both be looked at.
M  m) Run the SPARSE tool on code (already done for whole kernel ?)
         - Done on a regular basis by Trond

2) Run dynamic tests

H  a) User-land: Search for existing memory overflows with DUMA:
H  b) Kernel-land: Same, but with low-level tools (kdb, print, ...)

Comment from Bruce Fields:

       For the kernel: one simple thing to do is to check
               /proc/slabinfo, /proc/meminfo while running other
       tests.  Also make sure all the "kernel hacking" debugging
       options are turned on in the kernel configuration
       when running tests.  (Except when testing performance--the slab
       debugging in particular can have a big effect on performance.)

3) Modify Client side for attacking Server

   a) Modify: NFSv4, RPC, TI-RPC, TCP/IP, gss source code
   b) Use code of Python Client (rather than C client)

Comment from Bruce Fields:

       I've cc'd Fred Ismaan (iisaman@citi.umich.edu), who maintains
       pynfs. He's done some of this work and may have some ideas
       about what further could be done.
M  c) Randomly fill structures passed to server with:
         - large data
         - wrong
      and see what happens.
         - (Structures belong to: NFSv4, RPC, TI-RPC or TCP/IP)
         - Add new tests in newpynfs and Work with Fred Isaman
L  e) Focus on suspected but not-proved weaknesses in server
M  f) Hijack the NFSv4 protocol by sending not-logical or
              not-expected operations to server
         - pynfs already does tests like that. Contact F. Isaman.
         - Test with large compounds
         - ToBeCompleted

Comment from Bruce Fields:

       I'll try to think of some suggestions here.

4) Modify Server-side for attacking Client

Low Priority !

   a) It supposes the client can be routed to a NFSv4 pirate server
               (fs_location or DNS attack)
   b) Are there possibilities to crash the client machine or
               to corrupt system data ?
         - gss should protect against this kind of attack

Comment from Bruce Fields:

   One have to systematicaly use a stronger security flavor if he
       does not trust the server.
Personal tools