environment variables attacks environment variables
play

Environment Variables & Attacks Environment Variables A set - PowerPoint PPT Presentation

Apr 10, 2024 •110 likes •477 views

Environment Variables & Attacks Environment Variables A set of dynamic named values Part of the operating environment in which a process runs Affect the way that a running process will behave Introduced in Unix and also

  1. Environment Variables & Attacks

  2. Environment Variables • A set of dynamic named values • Part of the operating environment in which a process runs • Affect the way that a running process will behave • Introduced in Unix and also adopted by Microsoft Windows • Example: PATH variable • When a program is executed the shell process will use the environment variable to find where the program is, if the full path is not provided.

  3. How to Access Environment Variables From the main function More reliable way: Using the global variable

  4. How Does a process get Environment Variables? • Process can get environment variables one of two ways: • If a new process is created using fork() system call, the child process will inherits its parent process’s environment variables. • If a process runs a new program in itself, it typically uses execve() system call. In this scenario, the memory space is overwritten and all old environment variables are lost. execve() can be invoked in a special manner to pass environment variables from one process to another. • Passing environment variables when invoking execve() :

  5. execve() and Environment variables • The program executes a new program /usr/bin/env , which prints out the environment variables of the current process. • We construct a new variable newenv , and use it as the 3rd argument.

  6. execve() and Environment variables Obtained from the parent process

  7. Memory Location for Environment Variables • envp and environ points to the same place initially. • envp is only accessible inside the main function, while environ is a global variable. • When changes are made to the environment variables (e.g., new ones are added), the location for storing the environment variables may be moved to the heap, so environ will change ( envp does not change)

  8. Shell Variables & Environment Variables • People often mistake shell variables and environment variables to be the same. • Shell Variables: • Internal variables used by shell. • Shell provides built-in commands to allow users to create, assign and delete shell variables. • In the example, we create a shell variable called FOO.

  9. Side Note on The /proc File System • /proc is a virtual file system in linux. It contains a directory for each process, using the process ID as the name of the directory • Each process directory has a virtual file called environ, which contains the environment of the process. • e.g., virtual file /proc/932/environ contains the environment variable of process 932 • The command “ strings /proc/$$/environ ” prints out the environment variable of the current process (shell will replace $$ with its own process ID) • When env program is invoked in a bash shell, it runs in a child process. Therefore, it print out the environment variables of the shell’s child process, not its own.

  10. Shell Variables & Environment Variables • Shell variables and environment variables are different • When a shell program starts, it copies the environment variables into its own shell variables. Changes made to the shell variable will not reflect on the environment variables, as shown in example : Environment variable Shell variable Shell variable is changed Environment variable is the same Shell variable is gone Environment variable is still here

  11. Shell Variables & Environment Variables • This figure shows how shell variables affect the environment variables of child processes • It also shows how the parent shell’s environment variables becomes the child process’s environment variables (via shell variables)

  12. Shell Variables & Environment Variables • When we type env in shell prompt, shell will create a child process Print out environment variable Only LOGNAME and LOGNAME3 get into the child process, but not LOGNAME2. Why?

  13. Attack Surface on Environment Variables • Hidden usage of environment variables is dangerous. • Since users can set environment variables, they become part of the attack surface on Set-UID programs.

  14. Attacks via Dynamic Linker • Linking finds the external library code referenced in the program • Linking can be done during runtime or compile time: • Dynamic Linking – uses environment variables, which becomes part of the attack surface • Static Linking • We will use the following example to differentiate static and dynamic linking:

  15. Attacks via Dynamic Linker Static Linking • The linker combines the program’s code and the library code containing the printf() function • We can notice that the size of a static compiled program is 100 times larger than a dynamic program

  16. Attacks via Dynamic Linker Dynamic Linking • The linking is done during runtime • Shared libraries (DLL in windows) • Before a program compiled with dynamic linking is run, its executable is loaded into the memory first

  17. Attacks via Dynamic Linker Dynamic Linking: • We can use “ldd” command to see what shared libraries a program depends on : for system calls The dynamic linker itself is in a shared The libc library (contains functions library. It is invoked before the main like printf() and sleep()) function gets invoked.

  18. Attacks via Dynamic Linker: the Risk • Dynamic linking saves memory • This means that a part of the program’s code is undecided during the compilation time • If the user can influence the missing code, they can compromise the integrity of the program

  19. Attacks via Dynamic Linker: Case Study 1 • LD_PRELOAD contains a list of shared libraries which will be searched first by the linker • If not all functions are found, the linker will search among several lists of folder including the one specified by LD_LIBRARY_PATH • Both variables can be set by users, so it gives them an opportunity to control the outcome of the linking process • If that program were a Set-UID program, it may lead to security breaches

  20. Attacks via Dynamic Linker: Case Study 1 Example 1 – Normal Programs: • Program calls sleep function which is dynamically linked: • Now we implement our own sleep() function:

  21. Attacks via Dynamic Linker: Case Study 1 Example 1 – Normal Programs ( continued ): • We need to compile the above code, create a shared library and add the shared library to the LD_PRELOAD environment variable

  22. Attacks via Dynamic Linker: Case Study Example 2 – Set-UID Programs: • If the technique in example 1 works for Set-UID program, it can be very dangerous. Lets convert the above program into Set-UID : • Our sleep() function was not invoked. • This is due to a countermeasure implemented by the dynamic linker. It ignores the LD_PRELOAD and LD_LIBRARY_PATH environment variables when the EUID and RUID differ. • Lets verify this countermeasure with an example in the next slide.

  23. Attacks via Dynamic Linker Let’s verify the countermeasure • Make a copy of the env program and make it a Set-UID program : • Export LD_LIBRARY_PATH and LD_PRELOAD and run both the programs: Run the original env program Run our env program

  24. Attacks via Dynamic Linker: Case Study 2 Case study: OS X Dynamic Linker • As discussed in Chapter 1 (in capability leaking ), apple OS X 10.10 introduced a new environment variable without analyzing its security implications perfectly. • DYLD_PRINT_TO_FILE • Ability for users to supply filename for dyld • If it is a Set-UID program, users can write to a protected file • Capability leak – file descriptor not closed • Exploit example: • Set DYLD_PRINT_TO_FILE to /etc/sudoers • Switch to Bob’s account • The echo command writes to /etc/sudoers

  25. Attacks via External Program • An application may invoke an external program. • The application itself may not use environment variables, but the invoked external program might. • Typical ways of invoking external programs: • exec() family of function which call execve() : runs the program directly • system() • The system() function calls execl() • execl() eventually calls execve() to run /bin/sh • The shell program then runs the program • Attack surfaces differ for these two approaches • We have discussed attack surfaces for such shell programs in Chapter 1. Here we will focus on the Environment variables aspect.

  26. Attacks via External Program: Case Study • Shell programs behavior is affected by many environment variables, the most common of which is the PATH variable. • When a shell program runs a command and the absolute path is not provided, it uses the PATH variable to locate the command. • Consider the following code: Full path not provided. We can use this to manipulate the path variable • We will force the above program to execute the following program :

  27. Attacks via External Program: Case Study We will first run the first program without doing the attack We now change the PATH environment variable

  28. Attacks via External Program: Attack Surfaces • Compared to system(), execve()’s attack surface is smaller • execve() does not invoke shell, and thus is not affected by environment variables • When invoking external programs in privileged programs, we should use execve() • Refer to Chapter 1 for more information

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Setting Up Your Environment Environment Variables Aliases Setup Files .login

Setting Up Your Environment Environment Variables Aliases Setup Files .login

Setting Up Your Environment Environment Variables Aliases Setup Files .login .tcshrc other .*rc files History Command Completion Environment Variables (35.3) Unlike a regular shell variable, an environment

774 views • 27 slides
Processing Recap Processing is a language a library an environment Variables A

Processing Recap Processing is a language a library an environment Variables A

Module 01 Processing Recap Processing is a language a library an environment Variables A variable is a named value. It has a type (which cant change) and a current value (which can change). Variables A declaration introduces

735 views • 58 slides
Closures & Scoping Variables Parameters Local variables Free variables

Closures & Scoping Variables Parameters Local variables Free variables

CS152 Programming Language Paradigms Prof. Tom Austin, Fall 2016 Closures & Scoping Variables Parameters Local variables Free variables Variables not defined in the current scope e.g. global variables #!/bin/bash Is x

569 views • 13 slides
OBDD- -based Planning with Real based Planning with Real OBDD Variables in a Non-

OBDD- -based Planning with Real based Planning with Real OBDD Variables in a Non-

OBDD- -based Planning with Real based Planning with Real OBDD Variables in a Non- -Deterministic Deterministic Variables in a Non Environment Environment Anuj Goel and K. S. Barber Laboratory for Intelligent Processes and Systems The

576 views • 21 slides
YCL Week 3 Lets talk about variables! Variables Variables are containers for data. Variables

YCL Week 3 Lets talk about variables! Variables Variables are containers for data. Variables

YCL Week 3 Lets talk about variables! Variables Variables are containers for data. Variables have two parts: a name and a value, which is of a certain data type. A variables value is usually assigned to it using an equal sign. x = 5

171 views • 15 slides
Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir Johansen May 5, 2008 Cray Inc. Proprietary Slide 1 Goals of the Presentation Provide users an overview of the implementation of MPI on the Cray XT.

790 views • 44 slides
Runtime - Variables Storage and Access of Variables Three types of data memory (variables)

Runtime - Variables Storage and Access of Variables Three types of data memory (variables)

Todays Topic Runtime - Variables Storage and Access of Variables Three types of data memory (variables) Globals , locals , and dynamic/heap (new) Focus on first two for now How does compiler manage allocation of, reading of, and

565 views • 10 slides
COMP 2718: The Environment By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline

COMP 2718: The Environment By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline

COMP 2718: The Environment By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline The Environment Chapter 11 of TLCL What is the Environment? Examining the Environment Some Interesting Variables How is the

513 views • 15 slides
Control Charts for Variables Terminology Variables refers to quantitative variables, like

Control Charts for Variables Terminology Variables refers to quantitative variables, like

ST 435/535 Statistical Methods for Quality and Productivity Improvement / Statistical Process Control Control Charts for Variables Terminology Variables refers to quantitative variables, like physical dimensions, as opposed to

264 views • 12 slides
CSS CUSTOM PROPERTIES (VARIABLES) What CSS Variables are? CSS variables are entities defined by

CSS CUSTOM PROPERTIES (VARIABLES) What CSS Variables are? CSS variables are entities defined by

CSS CUSTOM PROPERTIES (VARIABLES) What CSS Variables are? CSS variables are entities defined by CSS authors that contain specific values to be reused throughout a document. How to use a variable? --my-variable var(--my-variable); BENEFITS

453 views • 9 slides
Variables in C++ The variable C++ Variables Kinds of Variables Memory storage

Variables in C++ The variable C++ Variables Kinds of Variables Memory storage

Variables in C++ The variable C++ Variables Kinds of Variables Memory storage Variable qualifiers The variable The variable A variable declaration is a request for space Basic data types in memory int , short,

239 views • 6 slides
Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many

Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many

Discrete Random Variables October 7, 2010 Discrete Random Variables Random Variables In many situations, we are interested in numbers associated with the outcomes of a random experiment. For example: Testing cars from a production line, we are

489 views • 38 slides
4 Sums of Random Variables Many of the variables dealt with in physics can be expressed as a sum

4 Sums of Random Variables Many of the variables dealt with in physics can be expressed as a sum

47 Sums of a Random Variables 4 Sums of Random Variables Many of the variables dealt with in physics can be expressed as a sum of other variables; often the components of the sum are statistically indepen- dent. This section deals

378 views • 21 slides
Variables Motivation This series introduces the concept of variables Very powerful

Variables Motivation This series introduces the concept of variables Very powerful

Module 2 Variables Motivation This series introduces the concept of variables Very powerful programming concept Necessary for more complex Python features But variables can be tricky to work with With expressions, we got a value

947 views • 17 slides
Variables & References Variables with primitive types: Primitive types Lower

Variables & References Variables with primitive types: Primitive types Lower

Variables & References Variables with primitive types: Primitive types Lower case names int, float, double, boolean, Declare variables: <type name> <variableName>; Memory will be allocated to

399 views • 12 slides
Coded variables Some variables can be represented on different scales. E.g., temperature in

Coded variables Some variables can be represented on different scales. E.g., temperature in

ST 430/514 Introduction to Regression Analysis/Statistics for Management and the Social Sciences II Coded variables Some variables can be represented on different scales. E.g., temperature in degrees Celsius or Fahrenheit. Suppose some response

514 views • 23 slides
Aligning DNA sequences on compressed collections of genomes Part 4. Practical session: Unix

Aligning DNA sequences on compressed collections of genomes Part 4. Practical session: Unix

Aligning DNA sequences on compressed collections of genomes Part 4. Practical session: Unix scripting The CODATA-RDA Research Data Science Applied workshop on Bioinformatics ICTP , Trieste - Italy July 24-28, 2017 Nicola Prezza Technical

787 views • 42 slides
Part III Part III Storage Management Storage Management Chapter 10: File System Interface

Part III Part III Storage Management Storage Management Chapter 10: File System Interface

Part III Part III Storage Management Storage Management Chapter 10: File System Interface Chapter 10: File-System Interface 1 Fall 2010 Files Files A file is a named collection of related information that is recorded on secondary

568 views • 33 slides
CSCI 2132 Software Development Lecture 4: Files and Directories Instructor: Vlado Keselj

CSCI 2132 Software Development Lecture 4: Files and Directories Instructor: Vlado Keselj

CSCI 2132 Software Development Lecture 4: Files and Directories Instructor: Vlado Keselj Faculty of Computer Science Dalhousie University 12-Sep-2018 (4) CSCI 2132 1 Previous Lecture Some hardware concepts Main UNIX concepts,

802 views • 16 slides
Introduction to Unix Editing with emacs Compiling with gcc What is Unix? q UNIX is an operating

Introduction to Unix Editing with emacs Compiling with gcc What is Unix? q UNIX is an operating

Introduction to Unix Editing with emacs Compiling with gcc What is Unix? q UNIX is an operating system first developed in the 1960s - by operating system, we mean the suite of programs that make the computer work q There are many different

549 views • 30 slides
UNIX Basics UNIX Basics CIS 218 Oakton Community College History UNIX was invented in 1969

UNIX Basics UNIX Basics CIS 218 Oakton Community College History UNIX was invented in 1969

UNIX Basics UNIX Basics CIS 218 Oakton Community College History UNIX was invented in 1969 at AT&T Bell Labs Ken Thompson and Dennis Ritchie are credited as the original architects and developers of C. Written in the C

871 views • 29 slides
Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi

Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi

Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi fined Cyb yberinfrastr tructu ture Arnab K. Paul , Ryan Chard , Kyle Chard , Steven Tuecke , Ali R. Butt , Ian Foster

582 views • 24 slides
CptS 360 (System Programming) Unit 2: Introduction to UNIX and Linux Bob Lewis School of

CptS 360 (System Programming) Unit 2: Introduction to UNIX and Linux Bob Lewis School of

Unit 2: Introduction to UNIX and Linux CptS 360 (System Programming) Unit 2: Introduction to UNIX and Linux Bob Lewis School of Engineering and Applied Sciences Washington State University Spring, 2020 Bob Lewis WSU CptS 360 (Spring, 2020)

955 views • 19 slides
COMPILING FOR THE ARCHER HARDWARE Slides contributed by Cray and EPCC Modules The Cray

COMPILING FOR THE ARCHER HARDWARE Slides contributed by Cray and EPCC Modules The Cray

COMPILING FOR THE ARCHER HARDWARE Slides contributed by Cray and EPCC Modules The Cray Programming Environment uses the GNU modules framework to support multiple software versions and to create integrated software packages As new

586 views • 31 slides

More recommend