Foundations of Cybersecurity (Winter 16/17) saarland

university
Prof. Dr. Michael Backes
CISPA / Saarland University computer science

Solution of Exercise Sheet 3

1 Basic access control on Linux

(a) Every Unix process is associated with a real user ID (RUID), an effective user
ID (EUID), and a saved user id (SUID).
(2 points) i. Explain the difference between the RUID and the EUID.

Solution:
EUID: UID currently used for most, not all, access control checks (e.g.,
file system access)
RUID: Real owner UID of a process
SUID: When you call setuid to change the EUID, SUID stores the
current EUID value, so the process can return to its original EUID.

(4 points) ii. Assume four executable binaries have the following permissions:
-rwsr--r-- 1 root root 213 Oct 12 11:10 file1.bin
-rwxr-xr-- 1 alice users 134 Oct 12 11:11 file2.bin
-rwsr-xr-- 1 alice users 186 Oct 12 11:12 file3.bin
-r--rwxr-- 1 bob users 113 Oct 12 11:13 file4.bin
Consider user bob who only belongs to the group users. For each of the
above file, state whether bob will be able to execute the file. If no, explain
why, if yes, give the EUID and RUID of the corresponding process when it
starts.

Solution:
1. Bob cannot execute file 1 because he is not root.
2. File 2 can be executed since bob is a member of users. EUID and
RUID of the starting process are bob.
3. File 3 can also be executed because of bob’s membership in users.
While the RUID is still bob, EUID is set to alice for the process
because of the setuid bit.
4. Bob cannot execute file 4 even though he is a member of users. The
reason is that, first, it is checked whether the executing user is the
owner, which is true in this case. Then the corresponding owner
permissions are applied. The group permissions are only applied if
the owner check fails. However, as the file owner, bob can change
the access rights and grant himself the execution permission.

(2 points) iii. Under Linux, a process may use the setuid(newuid) function to change
its effective user id at runtime. Consider a process that is not running as
root (i.e., EUID 6= 0). Which are the possible IDs that this process can set

1/8
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 3

its EUID to using this function?

Hint: The Linux setuid() follows the POSIX standard (which refers to
the IEEE 1003.1 Standard). You can check this standard, for instance,
at http://pubs.opengroup.org/onlinepubs/9699919799/ to investigate
the defined behavior of setuid(), or, alternatively, in the following sci-
entific paper http://www.cs.umd.edu/~jkatz/TEACHING/comp_sec_F04/
downloads/setuid.pdf.

Solution:
The newuid must be equal to either the real uid or saved uid if the
effective uid is not zero, but no other UID for obvious security reasons
(i.e., impersonating another user).

(2 points) iv. Now given the process is executing with root privileges (i.e., EUID = 0),
what happens to the EUID, RUID, and saved UID when this process uses
setuid() to change to a UID 6= 0? Why is this necessary for security
reasons?

Solution:
If the process is executing with root privileges, setuid(newuid) will also
change the RUID and SUID. Thus, it is not possible for this process to
return to root privileges once it dropped this privilege with setuid(). If
that would be possible, any process that has ever been started initially
with root privileges, could than at later point be compromised and
the attacker could easily escalate his privileges by simply resetting his
process’ UID to root.

(b) Consider an executable foobar with the following permissions:

-rwsrwxrwx 1 root root 186 Oct 31 23:42 foobar

(3 points) i. Explain the apparent security vulnerability of this permission setting!

Solution:
foobar.bin has setuid bit set for the owner root, i.e., it will execute
with root privileges, and at the same time it is writable by all users.
Thus, one could assume a malicious user could simply open this file,
overwrite its content with the logic she desires, and then execute this
custom logic with root privileges, effectively giving any user root
privileges.

(4 points) ii. Create such a vulnerable program on your Linux system. Try exploiting this
vulnerability and report how you tried to exploit this vulnerability, what
happened when you tried exploiting it, and whether you were successful or
not with your exploit. Prove your findings with a screenshot.

2/8
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 3

Solution:
When overwriting the content of such a file, the operating system will
remove the setuid bit automatically after the modification and require
the owner of the file to set the setuid bit again, thus confirming that
the owner is aware of the changes.

(3 points) (c) Now consider that the permissions of foobar have changed to the following
setting:
-rwsr-xr-x 1 root users 186 Oct 31 23:42 foobar.bin
The following pseudo-code represents the logic of foobar:
1 args = read commandline arguments()
2 execute on shell(args)

What is the severe security vulnerability of foobar? Research what the Confused
deputy problem is and use it in the context of your answer.

Solution:
Confused deputy denotes a privileged program (e.g., one executing with
root privileges), which can be tricked/misused into executing its privileges
on behalf of a user/program that is unprivileged. In case of foobar.bin,
this file is clearly a confused deputy, since

• it has setuid bit for root

• it can be executed by any user besides the privileged root user

• its logic takes the supplied commandline parameter and then executes
it in its own process without any security checks whether it should
actually do this, i.e., the commandline parameter can be an arbitrary
string that is then executed as a root privileged command

2 Security Lattices
In the lecture, we introduced lattices along with their formal definition. In this
exercise, we have a closer look.

3/8
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 3

(3 points) (a) For each of the following two figures, decide whether they form a finite lattice.
Use the definitions given on the slides.
F

Professor
D E

TA

Tutor B C

Student A

Solution:
Figure 1 is clearly a lattice because it satisfies all required properties. Figure
2 in contrast is not a finite lattice, because there is at least one subset of
levels that do not have a unique least upper bound. If we have a look at B
and C, we cannot decide whether D or E is the least upper bound, but the
least upper bound operator needs to be defined everywhere and since it is a
function, it needs to have exctly one result.

(2 points) (b) The following structure is not a lattice:

top secret, espionage super secret, espionage

unclassi ed, espionage

top secret, / super secret, /

unclassi ed, /

The reason is that we require the least upper bound operator to be totally defined,
meaning there must not be two security labels that do not have an upper bound.
However, here top secret, {espionage} and super secret, {espionage} do not
satisfy this property. State your intuition why using the above non-lattice for
access control is problematic. Remember that in our case lattices encode the
possible flows of information. What happens when information from top secret,
{espionage} and super secret, {espionage} is combined?

Solution:
In most scenarios, having no system top, that is a single upper bound that

4/8
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 3

(transitively) dominates all other nodes, is problematic because there is no

single subject that can read all information. Consider a military scenario. In
the context of least privilege, not giving all soldiers access to all documents
is legit. But remember that, for tactical reasons, it might be a good idea to
have at least one person that can utilize all information to coordinate the
whole operation.
Concerning the top secret, {espionage} and super secret, {espionage} labels:
How should information that is combined from both sources be treated?
Which label should be assigned?

(5 points) (c) Reconsider the (non-)lattice from above. Transform this structure into an actual
finite lattice. You are not allowed to change existing security clearance levels
or compartments, but you may add new ones. You will also need to add new
connections (extend the dominance relation). Hint: This is manageable by
adding only a single clearance level.
Provide a Hasse diagram for your lattice and explain briefly why your additions
fix the problems.

Solution:
What is missing is an upper bound, so we add ultra secret that dominates
top secret as well as super secret.
ultra secret, espionage

top secret, espionage super secret, espionage

ultra secret, /

unclassi ed, espionage

top secret, / super secret, /

unclassi ed, /

3 Bell-LaPadula and Biba

In the lecture, we learned about the idea of the Bell-LaPadula access control model.
For this exercise, we need two concrete properties of this model:
1. simple security property: A subject can only read an object of less or equal
security level (No read up, ss-property).

5/8
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 3

2. star property: A subject can only write into an object of greater or equal security
level (No write down, *-property)
(2 points) (a) Imagine a system that runs two different types of processes. On the lowest
security level, it runs all processes that operate on the network, while on the
higher level, there are the processes of the user that have access to critical data
like credit card information. We want to apply the Bell-LaPadula model in
combination with the following lattice:

user

network

Now assume that a user accidentally installed and started a spyware that wants
to send the user’s data to the malware author. Analyze the attack in the context
of Bell-LaPadula’s star-property.

Solution:
As the malware is installed and run by the user, its process is assigned the
user security level that grants access to privacy-critical data. However, the
trojan cannot exfiltrate the data through the network. The star-property
prevents the user level trojan from making confidential data available to
the less-privileged network processes, so the data cannot be leaked this way.

(4 points) (b) This time, we are not interested in confidentiality but integrity, so we do not
care about which information is disclosed but who can modify it. The integrity
counterpart of Bell-LaPadula is called Biba model, where we now have integrity
levels and domination relationships. We again focus on two properties:
1. simple integrity: A subject can modify an object only if the integrity level
of the subject is greater or equal than the integrity level of the object (No
write up).
2. integrity confinement: A subject can only read an object if the integrity
level of the subject is less or equal than the integrity level of the object (No
read down).
The figure below depicts a lattice in a military context. In this example,
we interpret the flow of information (dominance relation) as military orders.
For example, department 1 sergeants can take orders from generals (read up)
and generals can give orders to department 1 sergeants (write down). Using
this interpretation, explain why the simple integrity and integrity confinement
properties make sense for this concrete lattice.

6/8
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 3

general

sergeant dpt 1 sergeant dpt 2 sergeant dpt 3

soldier dpt 1 soldier dpt 2 soldier dpt 3

Solution:
Without those properties, high integrity subjects could read orders from
subjects with lower integrity level, which does not make sense at all in the
military context. Consider a soldier giving orders to a general. If you read
down, you read information from potentially untrustworthy sources. Con-
versely, writing up violates the integrity of the modified information which
cannot be trusted anymore afterwards. So the two properties mentioned
above ensure a correct chain of command.

4 Malware classification
In the lecture, we learned about the characteristics of seven types of malware.
However, in reality malware rarely sticks to those categories but rather combines
several types. In this exercise, we try to categorize recent malware samples.
(7 points) (a) Recently, an interesting malware sample called Linux.Wifatch showed up in the
wild. After their analysis, Symantec published a blog post on what we already
know about this piece of malware and why it is so interesting. For malware in the
wild, categorization is often not straightforward. First, read the full blog entry
that can be found at: http://www.symantec.com/connect/blogs/there
-internet-things-vigilante-out-there
Second, for each of the seven types of malware that we sketched in the lecture,
briefly state whether Wifatch (partly) falls into that category and why.

Solution:
1. Virus: Wifatch does not inject itself into files and resources to spread,
so it does not show the infection characteristics typical for viruses.
2. Trojan Horse: Wifatch does not disguise as benign software and
therefore does not show characteristics of a trojan horse.
3. Rootkit: As emphasized by the authors, the malware does not try
to evade detection. Actually, it actively warns the user upon telnet
usage for example.

7/8
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 3

4. Worm: The authors stress that Wifatch mainly spreads by brute

forcing passwords, so its autonomous spreading behavior falls into the
category of worms.
5. Spyware: At least Symantec’s analysis did not find any spying behav-
ior integrated into Wifatch. But it has generic backdoors that would
allow for such behavior.
6. Ransomware: Does not apply at all since Wifatch does not restrict
access to resources or demand ransom.
7. Botnet: As a part of Wifatch’s efforts to eliminate malware on routers,
it regularly receives new malware signatures. This is implemented by
joining a botnet upon infection that is controlled using cryptographi-
cally signed messages, so Wifatch also shows botnet characteristics.

(7 points) (b) One rather famous and sophisticated example is the regin malware that in its sec-
ond version surfaced in 2013. Researchers believe that, due to its complexity and
professionalism, it was created by a state level player. Again, read the Symantec
article at http://www.symantec.com/connect/blogs/regin-top-tier
-espionage-tool-enables-stealthy-surveillance and for each malware cat-
egory describe whether it applies to regin.

Solution:
1. Virus: Following the article, there is no proof that regin injects itself
into files and resources to spread. However, one of its spreading
vectors is an exploit in the yahoo messenger which might involve user
interaction and can therefore be seen as a virus attack.
2. Trojan Horse: As indicated in one of the article’s pictures, the trojan
horse part forms the first stage of the dropper.
3. Rootkit: Its authors have put a lot of effort into hiding the presence
of regin on a victim system, because it seeks permanent and undetected
presence. It clearly shows characteristics of a rootkit.
4. Worm: The exact spreading vectors are still unclear, but as regin is
mostly used for targeted attacks, uncontrolled and automated spread-
ing does not seem to be intended.
5. Spyware: Regin comes with multiple spyware modules that are used
to capture screenshots, steal passwords etc. In general, spyware mod-
ules can easily be deployed after the infection because of regin’s strong
modularization.
6. Ransomware: There is no indication of ransomware behavior.
7. Botnet: While the article does not mention this, the linked whitepaper
indicates that regin can delay its communication to Command &
Control Servers via other infected peers.

8/8