CY 2550 - Foundations of Cybersecurity

Project: Access Control

This project is due at 11:59pm on Friday, February 5.

Description and Deliverables

In this project, you will gain hands on experience with Unix file permissions and the AppArmor manditory access control system. Your first task is to inspect a filesystem that we provide you and try to determine which files have insecure access permissions. By “insecure,” we mean that the file permissions would allow an unpriveleged user to mount an attack on another user on the same Unix system—to detect such an insecurity, you should compare the permissions of an insecure file to the files around them or to the files in your own secured Linux VM.

After determining which files have insecure settings, you will need to provide commands which fix the settings. There are at least 13 files with incorrect settings, you will need to find 10 of them to get full credit.

In the next part of the assignment, you will create an apparmor policy that restricts a given program from accessing files that it does not need for its job.

To receive full credit for this project, you will turn in the following three things:

Each of these deliverables is described in greater detail below.

Part 1: File System Setup and File Permissions

You have recovered the file system image (i.e., a copy of the contents of the hard drive) of a computer that was possibly used in a security attack. Your first job is to download the filesystem image and mount it in your Linux virtual machine. This is an ext4 format file system image, and you can mount it as follows: 

$ wget /static/class/2550/access-control-fs.ext4.gz
$ gunzip access-control-fs.ext4.gz
$ sudo mount access-control-fs.ext4 /mnt
$ ls -al /mnt
Now you should see the “root” disk of this captured machine under /mnt. We are now going to explore the filesystem. To “immerse” yourself into the image without actually booting this potentially compromised machine, you are going to be running your virtual machine “kernel”, while exploring the file system as if you were running that system. To do this, we are going to use a program called chroot (i.e., "change root"). chroot allows you to run a program while making the program think that the root of the filesystem is within a specific directory. In this case, we are going to run a bash shell using the new captured file system as the root directory: 
cbw@cbw-VirtualBox:~$ sudo chroot /mnt /bin/bash
root@cbw-VirtualBox:/#
After you run this command the prompt should change. You are now running a shell within you existing shell while using the mounted file system as your new root.

This file system has several incorrectly set file system permissions. To get full credit, you will need to identify at least 10 files or directories that have incorrect permissions. Note, one of the first tasks you will need to do is navigate around the Linux filesystem. You can use the commands cd <dir>, ls -al and cd .. to navigate the file system.

When you are done, simply type exit to quit the current shell and return to your original shell. 

root@cbw-VirtualBox:/#  exit
cbw@cbw-VirtualBox:~$
We suggest that you compare the permissions in your Linux virtual machine with those from the captured machine. To do this, consider opening two shells in your VM and inspecting the same files on both machine. Your Linux virtual machine is likely a good reference for how permissions should be set; any unexpected deviations from this baseline are potentially suspicious.

Once you detect a problem, your job is to fix the problem by issuing a command as root that changes the permissions, ownership, and/or group of the file to the most secure possible setting.

As a hint, you do not need to look in the \mnt, \media or \boot directories. Also, you can ignore any links, i.e., files that have an l in the first permission position. Links are usually set with permissions 777 because of the way they are implemented and used.

This part of the assignment took the TA (who has experience with Linux) about 2 hours of work to find all files.

File Format for Part 1

To complete part 1 of this project, you will turn in a file named fs.txt that contains the commands used to fix the file permission settings that you found. Each command should appear on a separate line. For example, the format of a valid submission might look like this: 
chmod 777 /etc/passwd
chown alice:bib /etc/group
...

Part 2: AppArmor

AppArmor is a mandatory access control system available on modern Linux systems that restricts what executing processes can do when they run under any user.

In this section, you will design an AppArmor policy for a new program that we have developed for you. The program, named p2, is available here and its required data file is available here. This program starts a webserver that performs some local services for you. The service opens a network connection and listens on port 8080, and reads and writes several files to provide its service.

Note: you will need to add execute permissions to the p2 program after you download it. 

$ chmod +x p2

Your policy should restrict the p2 program from accessing files that it does not need to perform its function. You can use the following commands to download and run the p2 program in your Linux VM: 

$ wget /static/class/2550/p2
$ wget /static/class/2550/template
$ ./p2
homedir: /home/cbw/.project2
2020/10/07 09:56:19 starting server at localhost:8080
If you open Firefox in your VM (or use curl) to load the webpage http://localhost:8080, you will see a message like this: 
$ curl http://localhost:8080
Congrats! Your server started, but your system allowed 104 files to be accessed that were not needed. cbw 2020-10-10 10:57:11.186100936 -0400 EDT m=+2.757682651 cshMS23y5dAcE08h72FdgEZoDEnaQI53dFsNhDQiIn0=
Your goal is to design an AppArmor policy that reduces the number of files that p2 is able to access. This assignment will require you to learn about the details of an AppArmor policy. We suggest man apparmor as well as other internet resources for how to begin. You can stop the p2 program by pressing ctrl-c in the terminal window.

To begin, you can create a starting policy by running 

$  sudo apt install apparmor-utils
$  sudo aa-genprof p2
This command will ask you to “Scan” and “Finish”, after which it will create the file /etc/apparmor.d/home.<yourusername>.p2 containing the default policy 
Last Modified: Tue Oct  6 18:58:58 2020
#include <tunables/global>
        
/home/cbw/p2 {
  #include <abstractions/base>

  /home/cbw/p2 mr,

}
Unfortunately, if you now try to start p2 again, the policy will prevent p2 from creating a temporary file that it needs. You will need to add some rules to allow that access. In general, as you add rules that are too strict, the program will fail to start. You can use the command 
$ sudo apparmor_parser -r /etc/apparmor.d/home.cbw.p2
to try to find the smallest set of rules that allow the program to run, but prevents all unnecessary file accesses. To help you, try placing the apparmor policy into “audit” mode using sudo aa-audit p2 and then looking at the /var/log/kern.log file for AUDIT entries from apparmor. Note, you can use the @{HOME} macro in your apparmor policy to specify your HOME directory.

File Format for Part 2

Copy and paste the entire string that appears in your webbrowser into the file p2.txt. Note that the long string of base64-encoded characters is a “MAC” on the message. We will use this string to grade your assignment. It is specially crafted for your account.

Copy your /etc/apparmor.d/home.<username>.p2 file to home.user.p2. (Please use the specific word “user” rather than your username so that our grading script can easily find the file.)

Submitting Your Project

To submit your project, do the following:
  1. Create a directory ~/cy2550/project5 in the folder corresponding to your git repository.
  2. Copy your fs.txt, p2.txt, and home.user.p2 files to the ~/cy2550/project5 folder.
  3. Add these files to your repository, commit them, and push the committed files to Github.
  4. Submit your repository to Gradescope.

Grading

This project is worth 10% of your final grade, broken down as follows (out of 100): Points can be lost for turning in files in incorrect formats (e.g. not ASCII) or failing to follow specified formatting or naming conventions.