Hello, I have more of a general privacy rather than a crypto question. I am trying to set up "tripwires" in the various computer accounts that i have so i will know if a superuser or sysadmin has accessed them. (it should be taken for granted at this point that all sensitive or personal data is encrypted and/or stored on floppies) i of course am only concerned with doing so for accounts that i don't already have su access with. i have accounts on various flavors of UNIX, but i am most interested in tripwires/scripts for Solaris 2.4-6. so far, the best i have been able to come up with is a couple of very ineffective tripwires. 1. a few lines in .Xlogout that write the host/date stamp to a file that is hidden a few directories deep. - this of course only works if someone logs in to my account using my own login/passwd, and it doesn't work over dialup at all. 2. i have a .environment file that will write all of the relevant user info to a file if that user adds my directory with the "add" command - this will catch all superuser accesses *if and only if* they add my directory. they could simply cd into my directory to bypass it. anyone have any ideas for tripwires or any other methods i can use, having only regular user access, to monitor ANY accesses made to my account, especially by superusers/sysadmins? thanks for your consideration of this question, ken
I have more of a general privacy rather than a crypto question. I am> trying to set up "tripwires" in the various computer accounts that i have> so i will know if a superuser or sysadmin has accessed them. (it should
Can you build a reliable login tripwire on a machine where you don't have root access and root is likely a malicious character? The answer is...maybe! It requires a fairly sophisticated protocol and a lot of work...here are three of my ideas that didn't pan out, one that probably would, and a lot of caveats. I'd appreciate comments, criticism, etc. from other 'punks. THE GOAL You have an account on a system on which you do not trust root, or on which you think someone else may be able to log in as you. You want to build an automated system which alerts you when someone logs in as other than yourself. (n.b.: we're just talking about a login tripwire. Root doesn't need to log in as you to read your mail or copy your files). THE PROBLEM The basic problem here is that you can't trust anything on the insecure system. Root can modify any file, any binary, your shell, your environment, the kernel, a program running in memory, logs, devices, etc. You want to get secure information out of an environment in which all incoming and outgoing communications can be tampered with at will. It's sort of like standing in front of a locked door to a speakeasy and wanting to know if your friend Ivan is inside. You can slide a paper through the slat and if Ivan is in inside, require that he prove himself by signing the paper. However, if the paper comes back blank and the bouncer says "he ain't here," how do you know that Ivan isn't tied up in the back room? I've thought of some protocols which root could defeat only if he had an above-average degree of technical sophistication...e.g., examing a running kernel and modifying it, disassembling binaries, etc. These are not normal admin tasks. However, trusting your adversary to be ill-educated is poor security practice. There is one good protocol I thought of, which would work except for the the #1 problem common to any attempt of this sort... THE ACHILLES HEEL ...and the #1 problem is: how do you determine if you (or someone posing as you) is logged on to the remote machine? Suppose the bouncer is honest. What if your adversaries can make Ivan invisible? Anything your account initiates via a .login script or similar can easily be avoided by root, who can modify these scripts before logging in and restoring them when done. This leaves you with some sort of automated checking to see if you're on, and a system to alert you if you are. The common ways of determining who's logged on to a system can fail or be circumvented: (a) utmp - notoriously easy to circumvent (utmp provides the info for who, finger, etc.) Sometimes an errant shell will circumvent this accidentally, to say nothing of a concerted effort. Root can modify this trivially. (b) ps to look for owned processes -- root can easily write a ps program that works normally except for devious reporting when he's masquerading as you. Even if you use a custom program (which you have to either import each time or hash-check), root can modify the kernel, your environment, etc. (c) you can see who owns /dev terminals, but again... (d) I'm not sure if there is some method of consulting the kernel. Modifying a running kernel is considerably more difficult than the above, but if there is a means of consulting the kernel to see who's on, root could certainly circumvent it. You could make SHA message digests of the relavent system binaries and include checks for them in your robot messanger, but root may already have changed them. And remember that root can control your shell, your environment, etc. Maybe you assume that your adversary could not do these things. I don't think there is no 100% reliable way to see authoritatively who's logged on to a system, even if your adversary is not a wizard. However, for the sake of discussion, let's assume for the moment that you find some method of determining who's logged in that you feel confidant with, either because your adversary lacks the technical ability to circumvent normal methods, or because they are one person secretly being naughty in an otherwise professional team that would notice changes, or because your own wizardry outstrips there's. The next trick is to build a robot to either sit inside the speakeasy to shout out to you if Ivan is there, or one that goes into the speakeasy, looks around, and reports back to you. The trick is making sure that the robot's voice is not impersonated by your enemies or that it is not rewired before being sent back to you. THINGS THAT WON'T WORK Any kind of notification system that is initiated by your login scripts. Anything that requires querying the insecure machine from a remote machine to ask if you're logged on. Root controls all inbound and outbound communication. Any sort of cron job run on the insecure machine -- root can turn these off, insert a spoofer, do his deeds, and then restore things, with you being none the wiser. These protocols all assume you have an account on a trusted machine that you feel is secure (you fool!), at least from the admin on the insecure machine. PROTOCOL #1 - DAEMON You set up a daemon on the insecure machine which once a minute sees who's on, and if you're on, sends that information along with a SHA message digest (hash) of itself and its process number to the remote machine, who checks to see if the process number or hash has changed, and then builds a log. You can then check this log to see if anyone was on when you don't remember being on. Problems: (*) root can monitor outbound mail. When he sees a message going to your secure machine, he simply replaces it. (*) root can grab the daemon's code out of memory, rewrite it so that it first asks root if it should say you're on, and then proceeds normally, sending out the same process number and SHA MD as an unmodified daemon would. He can even write a daemon that monitors for your daemon, correcting its output whenever you restart your daemon. PROTOCOL #2 - DAEMON IMPROVED Same as #1, but this time the daemon first asks for a public key from your secure host, and then encrypts its response using that key. This defeats the first attack above. Problems: (*) root can use a classic man-in-the-middle attack to harvest the key on inbound mail and then encrypt it for outbound mail. No improvement. PROTOCOL #3 - PROCMAIL + BINARY ROBOT The trusted machine contains a set of object files in a linkable state (i.e., post-compile, pre-link) for a binary robot which (a) checks to see if you are logged on to whatever machine the robot is running on, (b) encrypts this information using a public key, and (c) returns the encrypted "yes/no" to the trusted machine, as well as a SHA message digest of itself. You set the following up as a cron job to run every X minutes on the trusted machine. The longer the gap, the longer an intruder might be able to play around unnoticed. However, the shorter the gap, the higher the load, and you have to make sure the insecure machine can finish it's processing within the gap. Perhaps X should be semi-random. (a) the trusted machine generates a public/private key pair. The public key is placed in a linkable format and linked with the object files for the binary robot. The trusted machine notes the outbound binary's SHA message digest. (b) the trusted machine mails this binary robot to the insecure machine. At the insecure machine, you have a .procmailrc which looks for the robot and runs it (c) the robot checks to see if you're online, and encrypts a reply using the public key that's stored within it. It sends this back to the trusted machine. (d) the trusted machine decrypts the message. Because each key is different, one-time, and used sequentially, there should be no replay attack possibility here. The trusted machine checks the SHA MD, and if it's different, goes into alert mode -- sending you e-mail, paging you, whatever. Otherwise it just continues to build its log that you can examine later. You could do more processing -- perhaps you only turn on this system on the trusted machine when you're not logged into the insecure machine. If it detects you are on while it's running, it goes into alert mode. (e) lather, rinse, repeat. Problems: (*) impracticalities of system load, and possible processing time length, as noted above (*) Root could sabotage procmail so instead of spawning your robot, it spawns one of root's. This mischevious binary then digs out the public key from your robot's binary code, and returns a message with a "no, he's not on" message and an SHA message digest of your binary. (He could also delete your .procmailrc or otherwise stop your automated system, but this would be obvious and suspicious). Since he'll have your binary and your public key, there is no way to prevent this man-in-the-middle attack. PROTOCOL #4 - PROCMAIL + BINARY, IMPROVED Same as #3, but when the trusted machine links your little binary robot, it randomly selects one of many random object files which contain some trivial operation for the robot to perform. The results of this operation are then appended to the robot's reply. Examples of these random operations: -- print out the date in format X -- print "CNN Anchorwoman Lynn Russell is a goddess" -- lookup root's shell and `ls -l` it into the message -- print out the first 15 prime numbers into the message -- multiply pi by 9.856497 and print out the result -- figure the SHA hash of /bin/sh and print it etc. If this robot is intercepted, it will be difficult for root's robot to mimic its behavior. Yes, root could manually disassemble it and figure out what it's secret operation is and build his own binary to mimic it, but not in the minute or two that the binary will run before the next robot each time would likely not work, because the compiler might link them all at the same place and root's malicious binary could examine the binary and ferret out the string automatically. The random operations do not have to be complex, but they must have these qualities: (*) the result must be definitively known to the trusted system (e.g., something like "finger root to see when he last logged in" will not work. But "figure 9 to the 7th power and print the result" would) (*) the operation must be reasonably fast -- you don't want the robot doing a long calculation, which might let root analyze the robot, kill it, perform the calculation himself (perhaps on a faster machine), and spoof the reply. Diversity is more important than complexity (*) there must be a large pool of these operations to choose from (*) the choosing must be random. Obviously, it will be pseudorandom, but a strong pseudorandom system with least-significant time seeds should be sufficient, unless the insecure machine's root in this case is root@nsa.gov. Problems: (*) again, impracticalities of system load, and possible processing time length, as noted above (*) root will be able to save and analyze the robot binaries. If the pool is not diverse enough, root might be able to determine the likely next message and spoof the reply. This will not be detectable from the trusted machine's perspective. However, the trusted machine might (a) have a large pool of random operations to choose from to make this impractical, or (b) simply have a subroutine which randomly generates random operations from a pool of pieces -- e.g., a set of rules from which it randomly picks, and then performs other random operations to generate the actual operation. (i.e., rule #85 says pick three floating-point numbers and generate an operation wherein the robot has to figure out the cosine of each). This would be much more difficult to predict/spoof. CONCLUSIONS First and foremost, the difficult of accurately determining who's on will likely undermine any attempt to set up a login tripwire. Also, we're talking about a login tripwire. Suppose I'm root and I want to copy a file from your home directory called diary-of-my-sexlife. All I have to do is note the access/modify/change times, copy the file, and then restore these times with touch(1). You can't detect or prevent read-only access. Going to all the work of implementing protocol #4, the most reliable of these, would likely result in a reasonably secure way of determing if you're logged in (again, with the difficulty of determining who's logged on caveats), but is it worth all this effort? I was just thinking these things up because I was bored. If I really had an account on a system I didn't trust, I would cancel it. -- Andrew Fabbro [afabbro@umich.edu] [andrewf@jesuswept.com] http://www-personal.umich.edu/~afabbro/ 313.647.2713 "We make money the old fashion way. We print it." - DigiCrime
At 08:38 PM 3/5/98 -0500, andrew fabbro wrote:
Can you build a reliable login tripwire on a machine where you don't have root access and root is likely a malicious character? The answer is...maybe! It requires a fairly sophisticated protocol and a lot of work...here are three of my ideas that didn't pan out, one that probably would, and a lot of caveats. I'd appreciate comments, criticism, etc. from other 'punks.
Look up Ross Anderson et al's paper, Programming Satan's Computer, in which a similarly omnipotent and malicious programming environment is discussed. ------------------------------------------------------------ David Honig Orbit Technology honig@otc.net Intaanetto Jigyoubu "But if we have to use force, it is because we are America; we are the indispensable nation." ---Secretary of State Madeleine K. Albright http://www.jya.com/see-far.htm
At 01:11 PM 3/5/98 -0500, Ken Williams wrote:
trying to set up "tripwires" in the various computer accounts that i have so i will know if a superuser or sysadmin has accessed them.
In the general case, you can't do it, though there may be special environments which let you do this but still let you do useful work. If somebody else controls the RAM, file systems, and communications on a computer, and you don't, you have no way to tell what they've done. For instance, anybody who can read raw blocks off the disk can read your files without triggering any mechanisms you control. Anybody who can read incoming packets off the LAN and WAN can read your email before putting it in your mailbox. If you convince people to encrypt mail before sending it to you, and you encrypt any data you store on the system's disk blocks, using programs that aren't running on that computer, reading your stuff may not be very interesting to the sysadm. But if you run the decryption program on the system, and the sysadm can read your keystrokes (either from a keyboard or tty driver or telnet daemon), you're still naked. There's been some theoretical work done into computing entirely with encrypted data, and for a few specific mathematical problems it's probably possible to get useful work done by an untrusted processor, but usually the computations required for blinding and unblinding are more work that the untrusted processor did for you anyway. Short of that, the closest you'll find are secure operating systems rated at Orange Book B2 or above (B3 and A, if any), which don't have one all-powerful superuser. In those systems, if the person who has access to the raw disk (either physically or by asking the OS) doesn't cheat, you have some guarantees about security, and in particular you have some guarantees that nobody _but_ the semi-super-users can crack the system in ways that give them access to your bits. Unless all writes to the disk drive are encrypted, anybody who's got unsupervised physical access to the disk is a semi-super-user, because they can steal the disk and plug it into their own machine, where they're as super a user as they want to be. If you're concerned about the machine being physically compromised, you could set up an application that's always sending keepalives across the net to your off-site monitoring location, but that's pretty annoying, leads to lots of false alarms, may still be crackable (though cracking may interrupt the system briefly, which is the win), and is overall not very practical. But it might let you know that the disk drive has been stolen. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (4)
-
andrew fabbro -
Bill Stewart -
David Honig -
Ken Williams