Lecture 17 Scribe Notes

Notes by: Nahush Dixit

NFS Layout

CLIENT ---------------------------------------------------------------------------------------------------- SERVER

The client connects through a network to the server. The server hosts the files and the client manipulates the file system through the network. The network may not be trusted. For example, if the client connects through the Internet the client is generally untrusted. If the client is connected through a LAN, then the client is trusted. The client and the server can use different file systems. The server provides the security.

Simple NFS Security

Who checks the file permissions?

Let's say the server!

Client wants to write to the password file, the server looks at the file and sees:

rw-r—r--root root

Client, eggert, says it has a file handle:

eggert is actually uid_t 1017

Server denies access because eggert is not recognized as root:

root is uid_t 0

Problem

It is possible that two clients are on the same machine. Even though the user is the same on the machine, it has access to two separate UIDs.

Answer

The UIDs must be consistent among all systems using the NFS, so each machine is setup using the exact same network settings, user, administrators, etc.

Problem

If a user can become root on a client, that user can masquerade as any UID. This means that any file is visible to that client. So, how would the server know that a packet claiming to be from a particular client is legitimate?

Newer NFS Implementations

NFS Version 4 Features

• Requests come over the wire with users by name

  • Allows multiple clients with different UIDs for names

• Client users can authenticate themselves through external security services

• Encrypt traffic over the network

• Clients can authenticate

  • Authenticate by IP (only works on a trusted network)

• Authenticate the server

  • Allows the client to trust the server

Guidelines for Security Design

• Security via obscurity does not work

• Retrofitting security does not work

  • It's very difficult to change code to be secure than to create code that secure

• The two forms of protection:

  • Against force

  • Against fraud

    • Most difficult to protect against

Main Forms of Fraud Based Attacks

• Against Privacy (Unauthorized Disclosure of Information)

• Against Integrity (Unauthorized Modification of Information)

• Against Service (Preventing Access to Information)

General Goals

• Deny Unauthorized Access

  • Poorly tested (except by attackers)

• Allow Authorized Access

  • Well tested by real users

Threat Modeling and Classification (Understand the Enemy)

• Insiders

  • Better to have two-tiered security

    • One guy with the data and one guy with the data key

• Social Engineering

  • Tricking people into revealing passwords or information

• Network Attacks

  • Drive-by Downloads

  • Viruses

  • Denial of Service

• Device Attacks

  • Hardware keyloggers

• ETC

  • Most dangerous, because it is the unknown

  • A new system may have new vulnerabilities

Security Mechanisms Must Support

• Authentication

• Authorization

• Integrity

• Auditing

• Correctness

• Efficiency

How to Authenticate

• Based on the principal

  • Retinal scan

• Item in possession by the principal

  • RSA, Key Fob

• Knowledge in possession by the principal

  • Password

The Problems with External Authentication

All of these methods can be defeated in some for or another. Exercise all spy movie knowledge to get an idea of how.

Internal Authentication – Three Levels in Linux

1. Login with Password

2. Open a File – Permissions are checked

3. Read/Write – Check file descriptor's properties