COPS and Robbers                    UN*X System Security     In the last few years, computer security has received agreat  deal  more attention than it has in the past.  Compu-terized break-ins and criminal  activity,  once  merely  theproduct  of  the imagination of science fiction writers, hasbecame a fairly common  occurence  in  both  commercial  andacademic  circles.   In this paper, I will go over the prob-lems that face any multiuser computing system, then  discusshow  these  problems  apply  to  UNIX[1]  specifically,  andfinally  present  in  detail  a  suite of programs that weredeveloped in an attempt to address some of the main problemsthat  could  be  solved  via  software.  UNIX, although con-sidered to be a fairly secure operating system  ([Wood  88],[Duff  89], etc), has the advantage of having many publishedworks ([Grampp and Morris 84],  [Bishop  83],  etc)  on  theproblems  that  a computing site can have with security, andin addition, on how a UNIX system administrator  might  makehis/her  system more secure by monitoring various aspects ofhis/her UNIX site.  This, combined with  UNIX's  popularity,make  it  an  ideal target for a software security system tooperate on.     In this report I am not going to discuss specific  waysof  breaking  into a given UNIX machine (for a more detaileddescription on how to compromise UNIX security,  see  either[Baldwin88],  [Bishop83],  [Wood & Kochran 86], or [Grampp &Morris 84]) -- instead, I will concentrate on how to improveand  strengthen  the  potentially good security of a genericUNIX system by means of a software toolkit that examines theweaker  areas  of UNIX that are either traditionally ignored(due to the time constraints  or  ignorance  of  the  systemadministrators) or are simply reoccurring problems that needto be watched over.  In addition, this report is  not  meantfor  UNIX  neophytes -- although a great deal of proficiencyis not needed to read  this  report  and  use  the  programsdescribed  herein, a familiarity with basic UNIX features --the file system and file permission modes for example -- andcommands  such  as awk,grep,sed  as  well  as a workingknowledge of  shell  and  C  programming  are  necessary  to_________________________9  [1] Although originally designed and developed by KenThompson and Dennis Ritchie of AT&T, UNIX has grown farbeyond its' original design and now numerous  companiesmarket their own "flavor" of UNIX.  When I use the termUNIX in this paper, I don't mean merely AT&T's version,but  instead  I  mean  the majority of the most popularvarieties, made by developers at Berkely,  Sun,  and  ahost of other manufacturers.  I believe UNIX is still atrademark of Bell Laboratories.9                     February 19, 1991                           - 2 -understand the internal  workings  of  the  security  systemdescribed in this paper.     Although there is no reasonable way that  all  securityproblems  can  be solved (at least not with a software solu-tion) on any arbitrary UNIX system, administrators and  sys-tem  programs  can  be assisted by a software security tool.The Computer Oracle Password and Security system (COPS) thatwill  be described in this paper is just such a device.  TheCOPS system is a collection of programs  and  shell  scriptsthat  attempt to address as many of these problems as possi-ble in an efficient, portable, and above all in  a  reliableand  safe  way.  The main goal of COPS is one of prevention;it tries to anticipate and eliminate  security  problems  bymaking sure people don't get a chance to compromise securityin the first place.  Alerting the administrators of a poten-tial  intruder  or  that  a virus has infected the system isbeyond the scope of the present system, although  with  workwith  such  capabilities could be added ([Bauer and Koblentz88] and [Duff 89].)     To understand the reason COPS might check any  specificproblem,  a look at computer security problems in general isin order.  The problems listed below are  not  meant  to  beinclusive,  but  they  are indicative of the myriad types ofdilemmas  a  typical   computer   multiuser   system   mightencounter:     1)  Administrators, system  programmers,  and  computeroperators.   The  very  people  that (should) worry the mostabout security are sometimes the ones  that  are  the  leastconcerned.  Carelessness is one of the main culprits; a mis-take by a user might cause little or no  problem,  but  whensomeone  with no restrictions (or almost none) on their com-puter activity makes a mistake, a security hole can  result."I  can  trust  my users" is a fine statement to make -- butcan you trust your users' friends?  How about the  users  ofcomputers  that  are networked to yours?  New software, sys-tems, or procedures can facilitate extra problems; a comput-ing  staff  is  often  ill  or completely non-trained on newtechniques and software.   Too  often  "RTFM"  is  the  onlytraining  that  they  will  ever receive.  Programs that arecreated for in-house use are often  ill-documented  and  notdebugged  thoroughly,  and  when users other than the authorstart to use/abuse the program, problems can result.   Espe-cially  misunderstood,  even by experienced UNIX system pro-grammers, is the SUID program or, worse yet, the SUID  shellscript ([Bishop 83].) When a user says that his/her passwordwas forgotten (or any other account/security  related  prob-lem),  what  checks  are  made  to verify that the person isreally the owner of that account?  Are users that are  secu-rity  problems kept track of, so that repeated abuses of thesystem will result in punitive action?  Does your site  evenhave  a  security  policy?  And of course, the last straw is                     February 19, 1991                           - 3 -that most system administrators simply have too  much  otherwork to do than to constantly check the system for potentialsecurity flaws -- let alone to double-check  that  any  workdone  by  other  system programmers has been done correctly.These are the actions that often get left unsaid and undone.     A UNIX environment has no special defenses against thiskind  of "attack".  Fortunately, a number of these potentialproblems  (unless  catastrophic  in  scope)  are  not   onlycorrectable,  but are easy to detect with a software toolkitsuch as COPS.  Even the most careful UNIX guru will periodi-cally  make  a  mistake;  COPS  has  been designed to aid inher/his never ending battle against the forces of darkness.     2)  Physical security.  This is perhaps the most  frus-trating of all possible problems because it effects all com-puter systems and is often the hardest to safeguard against.Even  if the software is secure, even if the system adminis-trators are alert to potential problems, what happens  if  auser  walks  up to the root console and starts typing?  Doesthe night janitorial staff let anyone into the machine  roomwithout  proper  identification?  Who  has access to the keythat opens up the computing center?  Are terminals that  arelogged on left unguarded or unlocked?  Are passwords writtenon or near a users terminal or desk?   No  software  in  theworld   can  help  against  human  nature  or  carelessness.Reiterating to your staff and users  that  terminals  shouldnot  be  left  alone  or unguarded and that passwords (espe-cially root) should not be typed in front of unfriendly (andin this case, _everyone_ is your enemy) eyes would be a goodstart.  A simple analogy: since you  would  never  give  thekeys  to  the  company car away, why on earth would you giveaway the keys to your computer, which is certainly  worth  ahell  of  a lot more time and money (although it may not getas good mileage on the interstate.)   Common  sense  goes  along ways to help prevent this kind of risk.     3)   Authentication.   What  is  authentication?    Allmodern computing systems that have capabilities for multipleusers have a means of identifying who is using the  computerat  any  given time.  A common means of identification is byusing a password; and since the inception of this idea, poorpasswords have been a perennial problem.  People have a ten-dency to use  their  own  name,  or  their  social  securitynumber,  or  some  other  common word, name, or phrase for apassword.  The problem then arises when an unauthorized userwants to access clandestine information, he/she simply triesone of these simple passwords until a  successful  match  isfound.     Other  problems  with  authentication?   What  computerhosts  are  "trusted"  and  allow users to log in from othermachines without any further authentication?  Are  incorrectlogin   attempts  kept  and/or  monitored  so  as  to  allow                     February 19, 1991                           - 4 -administrators to keep track of any unusual activity?   Whatabout  "Trojan  horses" -- programs that can steal passwordsand the privileges that a user owns -- is there a program ora administrative method that detects a potential 'horse?     Fortunately UNIX systems again have  some  fairly  goodtools  to  aid in this fight.  Although finding simple pass-words is indeed a trivial task, forcing the users on a  sys-tem  to  use  passwords  that  are  harder  to guess is alsotrivial, by either modifying the mechanism  that  gets/givesthe  password  to  the  user,  and/or  by  having the systemadministrators run a simple password detector  periodically,and notifying users if their password is deemed too obvious.The crypt command, although proven  to  be  insecure  for  aknowledgeable and resourceful attacker ([Reed and Weinberger84], [Baldwin 86]), does offer an added shield against  mostunauthorized  users.   Logs  can  be kept of incorrect loginattempts, but as with most security measures, to  be  effec-tive  someone (usually the site administrator) must take thetime to examine the evidence.     4)  Bugs/Features.  Massive software designs  (such  asan  operating system) are usually the result of a team or ofteams of developers working together.   It  only  takes  oneprogrammer to make a mistake, and it will almost always hap-pen.  "Back doors" that  allow  unauthorized  entrances  aresometimes  purposefully  coded  in -- for debugging, mainte-nance, or other reasons.  And there  are  always  unexpectedside effects when thousands of people using the system startdoing strange (stupid?) things.  The best  kind  of  defenseagainst  this  is to report the problems to the developer asthey are discovered, and if possible, to also report  a  wayto fix the problem.  Unfortunately, in many cases the sourcecode is needed to make a bug fix,  and  especially  in  non-academic  areas,  this  is  simply  not available due to theprohibitive costs involved.  Combining this with the  reluc-tance of a (usually) commercial developer to admit any prob-lems with their product, and the end result  is  a  securityhole  that  will not be mended unless some kind of financialloss or gain is at stake -- for the developer  of  the  pro-duct, not yours!     5)  Ignorance.  Users who don't know or care can  be  aproblem  as  well.  Even if someone doesn't care about theirown security, they can  unwittingly  compromise  the  entiresystem   --   especially  if  they  are  a  user  with  highprivileges.  Administrators and  system  operators  are  notimmune to this either, but hopefully are better informed, orat least have access to a means of combating  this  dysfunc-tion.   It  may  also  be due to apathy, an unwillingness tolearn a new system, a lack of time to  explore  all  of  thefeatures  of  a  large system, or simply not enough computersavvy to learn more about a very complex system, and no  onewilling  to teach it to the user.  This problem is much like                     February 19, 1991                           - 5 -illiteracy; it is a never-ending battle that will  never  gocompletely  away.  And while a software toolkit such as COPScan  help  combat  this  problem  by  calling  attention  toneglected  or  misunderstood critical areas, by far and awaythe best weapon against this is education.  An educated userwill simply not make as many mistakes; and while it may seemimpractical to teach _all_ users about (even) the  fundamen-tals  of  computer  security,  think  of  all  the  time andresources wasted tracking down the mistakes that keep recur-ring time and time again.     6)  Unauthorized permissions or privileges.  Are  usersgiven _too much_ freedom?  Do new computer accounts have anydefault security at all, or are the new  users  expected  toknow  what  to do to protect their programs, data, and otherfiles.  System  files,  programs,  and  data  are  sometimesshipped  with  minimal or no protection when gotten straightfrom the manufacturer; someone at the installation site musthave  enough  knowledge to "tune" the system to be effectiveand safe.  Password, memory, and log files especially shouldall be carefully monitored, but unfortunately an experienceduser can often still find out any information they want withperseverance and a little luck.  This is where a system suchas COPS can really shine.  After a new system is configured,some  basic  flaws can be uncovered with just a small amountof effort.  New system problems that  somehow  slip  throughthe cracks of the site installers can be caught and modifiedbefore any serious problems result.   The  key  here  is  toprevent  your system users from getting a denial of computerservice that they need and deserve.  Service could mean any-thing from CPU time, response time, file space, or any othercommodity that a computer has to offer.     7)  Crackers/Hackers/Evil twin brothers.  Not  much  isneeded  on this subject, save to say that they are often notthe main problem.  Professional  evil-users  are  a  rarity;often harmful acts are done by users who "just wanted to seewhat would happen" or had no idea of  the  ramifications  oftheir acts.  Someone who is truly experienced is very diffi-cult to stop, and is certainly  outside  the  realm  of  anysoftware  security  tool  as  discussed in this paper.  For-tunately,  most  evil-doers  are  fairly  inexperienced  andignorant,  and when they make a mistake, a watchful adminis-trator can deal with a problem before it gets out  of  hand.Sometimes  they  can even reveal security problems that werepreviously undiscovered.   COPS  can  help  here  mostly  byreducing  an  attacker's options; the less holes to exploit,the better.     The COPS system attempts to help protect as many of theabove  items  as possible for a generic UNIX system.  In theproper UNIX spirit, instead of having a large  program  thatattempts  to solve every possible problem, it is composed ofseveral small programs that each check one or more potential