|
Trials and tribulations of building an e-commerce serverIn part two, we take an in-depth evaluation of the design and implementation of a secure Internet commerce facility. Plus Bug of the Month focuses on eject and password bugs |
The secure Internet commerce facility project continues. This month's column includes design decisions made, the implementation (the good, the bad, and the ugly), and the valuable lessons that working on such a project imparts.Also in Pete's Wicked World this month: the bookstore has information on a hot new newsletter, an Internet privacy consortium, and an article on the future of Internet security. In the buglist, more buffer-overflow-causes-root-execution bugs. Also, word of interesting conferences and potentially-interesting products. And, if you have Solaris security questions, visit the newly-updated Pete's Security FAQ. (2,600 words)
Mail this article to a friend |
Dedication: To Skip Rochford. We miss you.
Last month I described a proposal my company received from a major East Coast bank and our response to that proposal. The proposal was for the implementation of a secure Internet facility that would allow bank customers to retrieve private information, well, privately. Included in last month's column was our proposed architecture and discussion of its features. The column generated some interesting reader feedback...you were worried about me. Worried about my legal status and how I'd survive impending lawsuits. The lawsuits would occur, of course, when the facility was cracked and bad things happened to customer accounts and the bank's money.
This month I hope to assuage your fears. I'll describe the final architecture that we implemented and the steps we took to assure that it was "uncrackable." We also hit some roadblocks that are worth discussing, and learned a little about project management.
The road to hell is paved with works-in-progress.--Philip Roth
The bank decided that my company would do the architecture and integration. We also brought in a subcontractor to do the application development and database implementation. The application work consisted of writing CGI scripts and SQL code. This code was needed to maintain the state of each customer's interaction with the facility, among other things. More details on the application later.
After several meetings with the bank (including product, marketing, and security personnel), the marketing company, the subcontractor, V-One, and Xenos, we hammered out an architecture that everyone could live with. Figure 1 shows the final architecture.
A comparison with the original proposed architecture in Figure 2
shows quite a few changes.
These were the major changes, and their reasons:
tripwire, tiger, tcp_wrappers
, etc. While the systems
would have been secure, they would have been difficult for the bank to
manage. Instead, we used the SeOS
product from Memco to
secure the machines. (SeOS
has been discussed in previous
columns.)
The application itself was quite complicated. It ended up including the following major pieces:
To finish a work? To finish a picture? What nonsense! To finish it means to be through with it, to kill it, to rid it of its soul, to give it its final blow . . . the coup de grāce for the painter as well as for the picture.--Pablo Picasso
|
|
|
|
Ah, the delays
In the introduction I mentioned that I would discuss the "ugly" parts
of the project. Unfortunately, the project went over budget and was
late. Although this is not uncommon on large integration projects, it
also did not make anyone happy. The reasons for the delays were many,
including:
SeOS
, and SmartGate
. These bugs resulted in
temporary workarounds being implemented to allow the project to hit
rollout deadlines. When the bugs were fixed the workarounds had
to be removed, and the proper code was implemented. Then all the code
had to be re-tested. In retrospect, we could not have done much
differently. Because the bugs were in a variety of tools, the
workarounds were needed in each tool to allow us to exercise the
other tools. Just waiting for bug fixes in one tool would have delayed
finding the bugs in the other tools. Perhaps waiting six months before
starting the project would have allowed all of the tools to be more mature.
While the project was being implemented, I wrote the facility security policy in conjunction with the bank's security personnel. The policy laid out the details of access to the facility, management of the facility, problem escalation, and change management. The facility was independently audited by SAIC (as described in a previous column) and found to be among the most secure they had seen.
Every man is the son of his own works.--Miguel de Cervantes
Overall, the project took more time and money than expected because we had underestimated the effort needed to bring multiple, new technologies online and the difficulties involved in rolling out a first-of-its-kind facility. The facility was brought online in February with little fanfare. Because the bank is merging with an even larger bank, and because this is a new offering to customers, it has lower priority than other bank projects. The banks are merging their computing facilities, and this project will be forced to shut down during the merger. It will be brought back online after the main systems are merged. Until that merger completes, the bank won't advertise this facility. Nevertheless, through Web-based ads, this facility already has 4,000 customers, and that number is growing at the rate of 150 per day. On the whole, everyone is pleased with the state of the facility and the project that implemented it.
Bug of the Month
Club
The time is right for a program scanner. This scanner would search
through C source code and watch for code that improperly allocates
memory without guarding against overflow. Unfortunately, I don't know
of any tools that provide this feature. I've reached the conclusion
about the need for such a tool based on bugs reported in
eject
and passwd
. Yes, eject
is the
program that simply ejects the floppy or CD-ROM from its drive. This
program is set-uid root
to enable any user to be able to eject the
media (eject
does a umount
). Unfortunately,
it doesn't check its buffer allocation in the media_find
routine. This routine is used to check command-line arguments and
determine which media it is that the user wants to eject. By
overflowing this buffer, eject
can be made to execute an
arbitrary program, as root.
Cristian Schipor, on the Computer Science Faculty in Bucharest,
Romania, discovered the problem and has written exploits for Solaris
2.4 and 2.5.X. The quick fix is to disable the set-uid
bit on
eject
. To regain the eject functionality, you can write a
quick set-uid root
C program that invokes eject with the proper
arguments. This information and more is included in the
eject
bug report.
The passwd
bug, similarly, results from a lack of bounds
checking within the program. The result is the arbitrary execution of
programs, as root, on any Solaris 2.3, 2.4, or 2.5 system. The bug report,
and fix information, is included in AusCERT
report 97.09
CERT is getting very antsy about INN. INN is a common news server, and version 1.5 of it is actively being attacked via well-published techniques. The solution is to upgrade to INN 1.5.1 as soon as possible. The details are in the CERT advisory.
The Bookstore
If you're like most systems people -- too little time and too many
interests -- then you should know about the SANS Network Security
Digest. What this column does for Sun computers (in case you didn't
know, it tries to keep you informed of everything Sun security
related), the SANS digest does for computer security in general.
The March issue includes information on Microsoft Internet Explorer bugs, Solaris passwd buffer overruns, and bugs in 4.4BSD, FreeBSD, INN, httpd, among other useful information. Here's the info:
The SANS Network Security Digest is published via e-mail approximately eight times a year. Its purpose is to help busy sysadmins and security professionals gain confidence that they are aware of the important security vulnerabilities and what can be done to resolve them. Subscriptions are always free for all who attend SANS and Network Security conferences. Others may also subscribe at no cost as long as their subscriptions are received before April 30, 1997. Free subscriptions entered before April 30 are effective through the end of next year (1998).To subscribe, send e-mail to sans@clark.net. In the Subject: SANS Network Security Digest. In the Body: name, title, organization, preferred e-mail address, and, if you also want an updated network security roadmap wall poster, your surface mailing address.
If you are concerned (as I am) with the rampant, uncontrolled exchange of private information on the Internet, then you'll be pleased to hear about ETrust. ETrust is a global initiative to create consumer confidence in electronic information exchange. It's set to roll out, in mid-1997, a set of seals-of-approval. The seals will be given to sites that abide by ETrust's rules of privacy. For more information, check out the ETrust home page (see Resources below).
The January 1997 issue of IEEE Computer includes several interesting articles on the Internet and security. Perhaps the most interesting to readers of this column is the article by Randall Atkinson, of Cisco, entitled Toward a More Secure Internet. This article spends a little time analyzing current Internet protocol security threats (ICMP, ARP, DNS, and IP itself). The rest of the article describes techniques, methods, and protocols that are being implemented to solve the security weaknesses of these protocols. Required reading.
Conferences
April brings with it a conference that should not be missed by
security professionals (and systems people with a security interest):
SANS '97 promises to be better than ever. This year the conference is
concentrating on case studies. If fact, I'll be presenting the secure
bank facility described in this column in a talk there. I'll also be
presenting a couple of sections of the "Security in a Melting Pot"
workshop, which is designed to help people who work on security on
multiple platforms keep those systems under control and secure.
If you're interested in Sun computers and their security, then you should add The Sun User Group Conference and Expo to your calendar (it's June 2-4, in Boston, MA). This conference will have tracks on security, system administration, the Internet, and one for developers. It will also have exhibits. I'll be teaching my Solaris Administration tutorial there and giving a couple of talks about Sun security. Hope to see you then.
Potentially interesting
products
Single sign-on continues to be one of the holy grails for systems
managers. Every year, we hear that the perfect product is a year
away. Well, there's another product that is taking a shot at solving
the problem. The product is FirstStep SSO by Millennium Computer Corporation. I
haven't tried it, but if you're looking for a single sign-on solution,
this one looks worth checking out.
|
Resources
About the author
Peter Galvin is
chief technologist for Corporate
Technologies, Inc., a systems integrator and VAR. He is also
adjunct system planner for the Computer Science Department at Brown
University, a member of the board of directors of the Sun User Group,
and has been program chair for the past four SUG/SunWorld
conferences. As a consultant and trainer, he has given talks and
tutorials world-wide on the topics of system administration and
security. He has written articles for Byte and Advanced
Systems (SunWorld) magazines, and the Superuser
newsletter. Peter is coauthor of the best-selling Operating
Systems Concepts textbook.
Reach Peter at Peter.Galvin@sunworld.com.
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-04-1997/swol-04-security.html
Last modified: