Return to book
Review this book
About the author
Introduction
1. Access Control
2. Authentication
3. Biometrics
4. Crypto Engineering
- 4.1. Software Crypto
- 4.2. Hardware Crypto
5. Malware
- 5.1. Virus
- 5.2. Worm
- 5.3. Trojan Horse
- 5.4. Writing Virus
- 5.5. Rootkits
- 5.6. Anti-virus software
- 5.7. Inside popular software
6. Protecting Clients
7. Security and Usability
- 7.1. User Interface (UI)
- 7.2. Passwords
- 7.3. Cognitive Experiment
- 7.4. Insider Attacks
8. Secure Programming
- 8.1. Buffer overflow
  - 8.1.1. Buffer Overflow Protections
  - 8.1.2. Exploit Buffer Overflow
- 8.2. Secure C practice
- 8.3. secure-sensitive program
9. Physical Security
10. (Web Service) Architecture
- 10.1. Contents and Scripts
11. Confinements
- 11.1. chroot
- 11.2. JVM
- 11.3. Network Identity
- 11.4. Virtual Machine
- 11.5. Sandbox
12. Program Structure
- 12.1. Case study: 4.3BSD FTP Daemon
- 12.2. Case study: mailer
- 12.3. Case study: Web Browser
13. Security Analysis
- 13.1. Construction vs. Destruction
- 13.2. Analyze individual programs
- 13.3. Analyze overall system
- 13.4. Software Engineering Code of Ethics
- 13.5. Tools part 1: OS system calls
- 13.6. Tools part 2: fuzzing and more
- 13.7. Reconnaissance
14. The Internet of Things
- 14.1. Embedded Systems (Smart Devices)
- 14.2. Internet of Things Architecture
- 14.3. Case study: Thermostat
15. Logging
- 15.1. Loggin in practice
- 15.2. Log Incidents
- 15.3. Case study: PHP4 web server attack
16. After An Attack
- 16.1. Analyze a hacked system
- 16.2. Deleted Files
- 16.3. Monitor Intrusion
- 16.4. Conclusion
17. System Structure
- 17.1. Case study: build an e-commerce
- 17.2. Network Operation Center
- 17.3. Router Link Weakness
- 17.4. Remote Access
- 17.5. Question: store credit card number in database?
- 17.6. General Principle
18. Exams
- 18.1. Fall 2014 Midterm
- 18.2. Fall 2013 Midterm
- 18.3. Fall 2010 Midterm
- 18.4. Fall 2008 Midterm

Security Architecture and Engineering

Tools part 1: OS system calls

`mount` command

Attach some device as a subtree at some point in the file system. home/ is a system directory that was mount by system call.

root@mshen: ls /mnt
root@mshen: mount /dev/sdb1 /mnt
root@mshen: ls /mnt
root@mshen: BROTHER text.pdf

Looking on Linux..

ls -l /bin/mount
-rwsr-xr-x 1 root root...

Why setuid: allow normal user to have priviledge operations!

Trying Mount

/bin/mount -t iso9660 /dev/cdrom /mnt/cdrom
mount: only root can do that
$ cp /bin/mount .
$ ./mount -t iso9660 /dev/cdrom /mnt
mount: must be superuser to use mount

Same problem, different message! The code path is different somehow.. $\rightarrow$ How do we find out what's happening?

`strace` trace system calls:

strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.

Run `strace`:

getuid32() = 7994
geteuid32() = 7994
lstat64("/etc/mtab", st_mode=S_IFREG|0644, st_size=1634, ...) = 0
stat64("/sbin/mount.iso9660", 0xbfffa9a0) = -1 ENOENT (No such file or directory)
rt_sigprocmask(SIG_BLOCK, ˜[TRAP SEGV RTMIN], NULL, 8) = 0
mount("/dev/cdrom", "/mnt/cdrom", "iso9660",
MS_POSIXACL|MS_ACTIVE|MS_NOUSER|0xec0000, 0) = -1 EPERM
rt_sigprocmask(SIG_UNBLOCK, ˜[TRAP SEGV RTMIN], NULL, 8) = 0
...
write(2, "mount: must be superuser to use ..."

The message is the unpriviledged version.

`ltrace` trace `library calls`:

ltrace is a program that simply runs the specified command until it exits. It intercepts and records the dynamic library calls which are called by the executed process and the signals which are received by that process. It can also intercept and print the system calls executed by the program.

__strdup(0xbff2abb3, 4095, 0xb7d0a000, 373, 0)= 0x9c3cd28
__strdup(0xbff2aba0, 4095, 0xb7d0a000, 373, 0)= 0x9c3cd38
sprintf("/sbin/mount.iso9660", "/sbin/mount.%s", "iso9660") = 19

Can we exploit springf by bufferoverflow?

`strings` coomand

Looks at a file, and print out anything that looks like a character string.

$ strings mount | more

Security Architecture and Engineering

Tools part 1: OS system calls

mount command

Looking on Linux..

Trying Mount

strace trace system calls:

Run strace:

ltrace trace library calls:

strings coomand

`mount` command

`strace` trace system calls:

Run `strace`:

`ltrace` trace `library calls`:

`strings` coomand