Trials and tribulations of building an e-commerce server
In part two, we take an in-depth evaluation of the design and implementation of a secure Internet commerce facility. Plus Bug of the Month focuses on eject and password bugs
The secure Internet commerce facility project continues. This month's column includes design decisions made, the implementation (the good, the bad, and the ugly), and the valuable lessons that working on such a project imparts.
Also in Pete's Wicked World this month: the bookstore has information on a hot new newsletter, an Internet privacy consortium, and an article on the future of Internet security. In the buglist, more buffer-overflow-causes-root-execution bugs. Also, word of interesting conferences and potentially-interesting products. And, if you have Solaris security questions, visit the newly-updated Pete's Security FAQ. (2,600 words)
Dedication: To Skip Rochford. We miss you.
Last month I described a proposal my company received from a major East Coast bank and our response to that proposal. The proposal was for the implementation of a secure Internet facility that would allow bank customers to retrieve private information, well, privately. Included in last month's column was our proposed architecture and discussion of its features. The column generated some interesting reader feedback...you were worried about me. Worried about my legal status and how I'd survive impending lawsuits. The lawsuits would occur, of course, when the facility was cracked and bad things happened to customer accounts and the bank's money.
This month I hope to assuage your fears. I'll describe the final architecture that we implemented and the steps we took to assure that it was "uncrackable." We also hit some roadblocks that are worth discussing, and learned a little about project management.
The road to hell is paved with works-in-progress.
The bank decided that my company would do the architecture and integration. We also brought in a subcontractor to do the application development and database implementation. The application work consisted of writing CGI scripts and SQL code. This code was needed to maintain the state of each customer's interaction with the facility, among other things. More details on the application later.
After several meetings with the bank (including product, marketing, and security personnel), the marketing company, the subcontractor, V-One, and Xenos, we hammered out an architecture that everyone could live with. Figure 1 shows the final architecture.
A comparison with the original proposed architecture in Figure 2
shows quite a few changes.
These were the major changes, and their reasons:
tripwire, tiger, tcp_wrappers, etc. While the systems would have been secure, they would have been difficult for the bank to manage. Instead, we used the
SeOSproduct from Memco to secure the machines. (
SeOShas been discussed in previous columns.)
The application itself was quite complicated. It ended up including the following major pieces:
To finish a work? To finish a picture? What nonsense! To finish it means to be through with it, to kill it, to rid it of its soul, to give it its final blow . . . the coup de grāce for the painter as well as for the picture.
Ah, the delays
In the introduction I mentioned that I would discuss the "ugly" parts of the project. Unfortunately, the project went over budget and was late. Although this is not uncommon on large integration projects, it also did not make anyone happy. The reasons for the delays were many, including:
SmartGate. These bugs resulted in temporary workarounds being implemented to allow the project to hit rollout deadlines. When the bugs were fixed the workarounds had to be removed, and the proper code was implemented. Then all the code had to be re-tested. In retrospect, we could not have done much differently. Because the bugs were in a variety of tools, the workarounds were needed in each tool to allow us to exercise the other tools. Just waiting for bug fixes in one tool would have delayed finding the bugs in the other tools. Perhaps waiting six months before starting the project would have allowed all of the tools to be more mature.
While the project was being implemented, I wrote the facility security policy in conjunction with the bank's security personnel. The policy laid out the details of access to the facility, management of the facility, problem escalation, and change management. The facility was independently audited by SAIC (as described in a previous column) and found to be among the most secure they had seen.
Every man is the son of his own works.
--Miguel de Cervantes
Overall, the project took more time and money than expected because we had underestimated the effort needed to bring multiple, new technologies online and the difficulties involved in rolling out a first-of-its-kind facility. The facility was brought online in February with little fanfare. Because the bank is merging with an even larger bank, and because this is a new offering to customers, it has lower priority than other bank projects. The banks are merging their computing facilities, and this project will be forced to shut down during the merger. It will be brought back online after the main systems are merged. Until that merger completes, the bank won't advertise this facility. Nevertheless, through Web-based ads, this facility already has 4,000 customers, and that number is growing at the rate of 150 per day. On the whole, everyone is pleased with the state of the facility and the project that implemented it.
Bug of the Month
The time is right for a program scanner. This scanner would search
through C source code and watch for code that improperly allocates
memory without guarding against overflow. Unfortunately, I don't know
of any tools that provide this feature. I've reached the conclusion
about the need for such a tool based on bugs reported in
eject is the
program that simply ejects the floppy or CD-ROM from its drive. This
set-uid root to enable any user to be able to eject the
eject does a
it doesn't check its buffer allocation in the
routine. This routine is used to check command-line arguments and
determine which media it is that the user wants to eject. By
overflowing this buffer,
eject can be made to execute an
arbitrary program, as root.
Cristian Schipor, on the Computer Science Faculty in Bucharest,
Romania, discovered the problem and has written exploits for Solaris
2.4 and 2.5.X. The quick fix is to disable the
set-uid bit on
eject. To regain the eject functionality, you can write a
set-uid root C program that invokes eject with the proper
arguments. This information and more is included in the
passwd bug, similarly, results from a lack of bounds
checking within the program. The result is the arbitrary execution of
programs, as root, on any Solaris 2.3, 2.4, or 2.5 system. The bug report,
and fix information, is included in AusCERT
CERT is getting very antsy about INN. INN is a common news server, and version 1.5 of it is actively being attacked via well-published techniques. The solution is to upgrade to INN 1.5.1 as soon as possible. The details are in the CERT advisory.
If you're like most systems people -- too little time and too many interests -- then you should know about the SANS Network Security Digest. What this column does for Sun computers (in case you didn't know, it tries to keep you informed of everything Sun security related), the SANS digest does for computer security in general.
The March issue includes information on Microsoft Internet Explorer bugs, Solaris passwd buffer overruns, and bugs in 4.4BSD, FreeBSD, INN, httpd, among other useful information. Here's the info:
The SANS Network Security Digest is published via e-mail approximately eight times a year. Its purpose is to help busy sysadmins and security professionals gain confidence that they are aware of the important security vulnerabilities and what can be done to resolve them. Subscriptions are always free for all who attend SANS and Network Security conferences. Others may also subscribe at no cost as long as their subscriptions are received before April 30, 1997. Free subscriptions entered before April 30 are effective through the end of next year (1998).
To subscribe, send e-mail to email@example.com. In the Subject: SANS Network Security Digest. In the Body: name, title, organization, preferred e-mail address, and, if you also want an updated network security roadmap wall poster, your surface mailing address.
If you are concerned (as I am) with the rampant, uncontrolled exchange of private information on the Internet, then you'll be pleased to hear about ETrust. ETrust is a global initiative to create consumer confidence in electronic information exchange. It's set to roll out, in mid-1997, a set of seals-of-approval. The seals will be given to sites that abide by ETrust's rules of privacy. For more information, check out the ETrust home page (see Resources below).
The January 1997 issue of IEEE Computer includes several interesting articles on the Internet and security. Perhaps the most interesting to readers of this column is the article by Randall Atkinson, of Cisco, entitled Toward a More Secure Internet. This article spends a little time analyzing current Internet protocol security threats (ICMP, ARP, DNS, and IP itself). The rest of the article describes techniques, methods, and protocols that are being implemented to solve the security weaknesses of these protocols. Required reading.
April brings with it a conference that should not be missed by security professionals (and systems people with a security interest): SANS '97 promises to be better than ever. This year the conference is concentrating on case studies. If fact, I'll be presenting the secure bank facility described in this column in a talk there. I'll also be presenting a couple of sections of the "Security in a Melting Pot" workshop, which is designed to help people who work on security on multiple platforms keep those systems under control and secure.
If you're interested in Sun computers and their security, then you should add The Sun User Group Conference and Expo to your calendar (it's June 2-4, in Boston, MA). This conference will have tracks on security, system administration, the Internet, and one for developers. It will also have exhibits. I'll be teaching my Solaris Administration tutorial there and giving a couple of talks about Sun security. Hope to see you then.
products Single sign-on continues to be one of the holy grails for systems managers. Every year, we hear that the perfect product is a year away. Well, there's another product that is taking a shot at solving the problem. The product is FirstStep SSO by Millennium Computer Corporation. I haven't tried it, but if you're looking for a single sign-on solution, this one looks worth checking out.
About the author
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at Peter.Galvin@sunworld.com.
If you have technical problems with this magazine, contact firstname.lastname@example.org