Project 2: Access controls

  • This project is due at 11:59pm on Friday, Oct 11, 2024.

Description and Deliverables

In this project, you will gain experience with Linux file permissions and the AppArmor manditory access control system. Your first task is to inspect a filesystem that we provide you and try to determine which files have insecure access permissions. By “insecure,” we mean that the file permissions would allow an unpriveleged user to mount an attack on another user on the same Unix system—to detect such an insecurity, you should compare the permissions of an insecure file to the files around them or to the files in your own secured Linux VM.

After determining which files have insecure settings, you will need to provide commands which fix the settings. There are at least 13 files with incorrect settings, you will need to find 10 of them to get full credit.

In the next part of the assignment, you will create an apparmor policy that restricts a given program from accessing files that it does not need for its job.

To receive full credit for this project, you will turn in the following two things:

  • A file named fs.txt that contains commands to fix the file system permissions.
  • A file named p2.txt which contains an output from the p2 program.
  • A file named home.user.p2 containing your apparmor policy.
  • You will need to make your first submission before 11.59pm on Oct 4. It does not have to be complete, but the submission should indicate you have started the project.

Each of these deliverables is described in greater detail below.

Part 1: File system

You have recovered the file system of an image that was possibly used in a security attack. mount it in your linux virtual machine. This is an ext4 file system image, you can mount it as follows:

$ wget https://shelat.khoury.northeastern.edu/dl/24f-2550/project2.ext4.gz
$ gunzip project2.ext4.gz
$ sudo mount project2.ext4 /mnt
$ ls -al /mnt

Now you should see the “root” disk of this captured machine under /mnt. We are now going to explore the filesystem. In order to immerse yourself into the image without actually booting this potentially compromised machine, you are going to be running your virtual machine “kernel”, while exploring the file system as if you were running that system. To do this, we are going to use a program called chroot, which we will study later in this course. The chroot allows you to run a program while making the program think that its root is another directory. In this case, we are going to run the bash shell as root using the new captured file system as the root directory:

$ sudo chroot /mnt /bin/bash
root@cs-689819938637-default:/# 

After you run this command the prompt should change. You are now running a shell while using the mounted file system as your new root.

This file system has several incorrectly set file system permissions which can be easily exploited by an adversary to violate expected behavior. In order to get full credit, you will need to identify at least 10 files or directories which have incorrect permissions. Note, one of the first tasks you will need to do is navigate around the Linux filesystem. You can use the commands cd <dir>, ls -al and cd .. to navigate the file system.

When you are done, simply type exit to quit the current shell, and return to your original shell.

root@cs-689819938637-default:/#  exit
$

We suggest that you compare the permissions in your linux virtual machine with those from the captured machine. To do this, consider opening two shells in your VM and inspecting the same file on both machine. Your linux virtual machine is likely a good reference for how permissions should be set.

Once you detect a problem, your job is to fix the problem by issuing a command as root that changes the permissions, ownership, or group of the file to the best possible setting.

As a hint, you do not need to look in the \mnt, \media or \boot directories. Also, you can ignore any links, i.e., files that have an l in the first position. Links are usually set with permissions 777 because of the way they are implemented and used. This part of the assignment took the TA (who has experience with Linux) about 2 hours of work to find all files.

Note: you will need to think critically about what types of permissions misconfigurations can cause security vulnerabilities. For example, if an attacker is able to change a binary that every user runs (e.g., ls or ps etc), what kind of attack could they mount? What about shared libraries? What about log files? What about configuration files?

File Format for Part 1

To complete part 1 of this project, you will turn in a file named fs.txt that contains the commands used to fix the file permission setting that you found. Each command should appear on a separate line. For example, the format of a valid submission might look like this:

chmod 744 /etc/passwd
chown steve:wheel /etc/group
...

AppArmor

Recall from lecture that AppArmor is a manditory access control system available on modern Ubuntu machines that restricts what executing processes can do when they run under any user.

In this section, you will design an AppArmor policy for a new Linux executable provided here. This program starts a webserver that performs some local services for you. The service opens a network connection and listens on port 8080, and reads and writes several files to provide its service.

Your policy should restrict it from accessing files that it does not need to perform its function. After downloading the program into your linux VM, you can run it as follows:

$ wget https://shelat.khoury.northeastern.edu/dl/24f-2550/p2
$ wget https://shelat.khoury.northeastern.edu/dl/24f-2550/template
$ chmod u+x p2
$ ./p2 
homedir: /home/hi_abhi/.proj2
2024/09/23 04:00:29 starting server at localhost:8080

If you use curl to access the page localhost:8080, you will see a message that states

$ curl localhost:8080
2024/09/15 10:10:27 Handling request
Congrats! Your server started, but your system allowed 94 files to be accessed that were not needed. abhi 2024-09-15 10:10:27.736198577 +0000 UTC m=+9.545383865 CkNxiyW4liEzlcZmiaOQqaeVTl8kzg11Z1pFRqOTkyw=

Your goal is to design an AppArmor policy that reduces the number of files that are accessed. This assignment will require you to learn about the details of an AppArmor policy. We suggest man apparmor as well as other internet resources for how to begin. You can stop the p2 program by pressing ctrl-c at the terminal prompt.

To start, you can create a starting policy by running

$  sudo apt install apparmor-utils
$  sudo aa-genprof p2

This command will offer you an opportunity to “Scan” and “Finish”. You can press “Finish” or “F” to exit, and it will create the file /etc/apparmor.d/home.<yourusername>.p2 containing the default policy.

# Last Modified: Mon Sep 23 04:03:29 2024
abi <abi/3.0>,

include <tunables/global>

/home/hi_abhi/project2/p2 {
  include <abstractions/base>

  /home/hi_abhi/project2/p2 mr,

}

Unfortunately, if you now try to start p2 again, the policy will prevent p2 from creating a temporary file that it needs. You will need to add some rules to allow that access. In general, as you add rules that are too strict, the program will fail to start. You can use the command

$ sudo apparmor_parser -r /etc/apparmor.d/home.abhi.p2

Try to find the smallest set of rules which allow the program to run, but prevents all unnecessary file accesses. To help you, try placing the apparmor policy into “audit” mode using sudo aa-audit p2 and then looking at the /var/log/kern.log file for AUDIT entries from apparmor. Note, you can use the @{HOME} macro in your apparmor policy to specify your HOME directory.

This part of the assignment will require you to do some research on how to use apparmor. You can use the internet to learn about the syntax of this tool.

File format

Copy and paste the entire string output of your curl command into the file p2.txt. Note that the long string of base64-encoded characters is a “MAC” on the message. We will use this string to grade your assignment. It is specially crafted for your account.

Copy your /etc/apparmor.d/home.<username>.p2 file to home.user.p2. (Please use the specific word “user” so that our grading script can easily find it.)

Submission Details

Please follow these directions exactly.

  1. Create a directory project2 under your git repo.
  2. Add the file fs.txt to this directory.
  3. Add the file p2.txt
  4. Add the file home.user.p2 containing your apparmor policy
  5. Submit your project in gradescope. Feel free to resubmit the project as many times as you like. It is ok to have extra files in the repository as well, just make sure you have those two for us to find.

Grading

This project is worth 10% of your final grade, broken down as follows (out of 100):

  • 10 points - To ensure that you get started on this project before the last minute, you will need to submit all three files, even if incomplete, by 11.59pm on Oct 4.
  • 6 points each for up to 10 correct permissions setting fix commands in fs.txt
  • 20 points - Your Apparmor policy is less than 20 lines and allows <20 unnecessary files
  • 10 points - Your Apparmor policy is less than 20 lines and allows 0 unnecessary files

Points can be lost for turning in files in incorrect formats (e.g. not ASCII), failing to follow specified formatting or naming conventions, failing to compile, failing to follow specified command line syntax, insufficient or incorrect randomization, etc., failing to follow specified formatting or length conventions, etc.

More hints

  • You can fix the following error by removing the lxc- files.
$ sudo aa-genprof p2
Updating AppArmor profiles in /etc/apparmor.d.

ERROR: Conflicting profiles for /usr/bin/lxc-start defined in two files:
- /etc/apparmor.d/usr.bin.lxc-copy
- /etc/apparmor.d/usr.bin.lxc-start
$ sudo rm /etc/apparmor.d/usr.bin.lxc-copy
$ sudo rm /etc/apparmor.d/usr.bin.lxc-start
$ sudo aa-genprof p2
<now works...>