threat_analysis_min_security.html

SLP协议在linux下的实现。此版本为1.2.1版。官方网站为www.openslp.org

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="GENERATOR" content="Mozilla/4.76C-CCK-MCD Caldera Systems OpenLinux [en] (X11; U; Linux 2.4.2 i686) [Netscape]">
</head>
<body>

<h3>
SLP Security</h3>

<h3>
Introduction</h3>
&nbsp;
<h3>
The SLP Security Problem</h3>
The SLP security problem can be divided into three categories:&nbsp; SLP
security attacks, security configuration and management problems, and ignorance
of secure SLPv2 usage.&nbsp; The following is an introduction to problems
that will be examined in more detail later in this document.
<p>The obvious SLP security problems are those that are similar to the
one that is described by the following example from <a href="broken_link.html">SLPv2
Authentication - Is it worth the trouble</a> ):
<blockquote><tt>Imagine that in an enterprise environment there is a malicious
or overly curious individual that would like to obtain confidential information.&nbsp;&nbsp;&nbsp;
SLP could be exploited to obtain information from software that was otherwise
secured only by virtue of manual configuration.&nbsp;&nbsp;&nbsp; For example,
an OpenSource help desk application consisting of "server" and "client"
software is SLP enabled because the network administrators got tired of
helping employees set up the "client" software with location and configuration
information used to connect with the "server" software.</tt>
<p><tt>Since the source code is readily available, a sneaky employee makes
a few modifications to the server code that allows him to obtain user names
and passwords.&nbsp; He recompiles the source and brings up the "rogue"
help desk server.&nbsp; Since the "rogue" help desk server and the real
help desk server both have similar SLP registerations, it is possible that
clients may connect to the "rogue" server instead of the real one.&nbsp;
When the users log in, the "rogue" server saves off a copies of user names
and passwords.&nbsp; The malicious employee can use these user names and
passwords later to impersonate other people.</tt></blockquote>
The obvious solution to this and other related SLP security problems is
to build security features into the SLP protocol itself.&nbsp;&nbsp; This
is the approach that is taken by SLPv2 and it is indeed successful in preventing
nearly all of the SLP security attacks in a way that requires very little
effort on the part of user and application developer.&nbsp; However, it
places a huge security configuration and management burdon on the system
administrator and makes (application level) interoperability between SLP
implementations difficult if not impossible.&nbsp; In other words, the
SLPv2 security specification does a great job at solving most SLP security
problems from a protocol perspective, but in most applications, it creates
a configuration and management nighmare that challenges the fundamental
SLP usability claim"
<blockquote><tt>"Using this protocol, computers using the [network] need
little or no static configuration of network services for network based
applications."&nbsp; -- RFC 2608 (abstract)</tt></blockquote>
SLPv2 uses public key cryptography to generate signatures that ensure integrity
of SLP messages.&nbsp;&nbsp;&nbsp; Authenticity of SLP message signatures
is established by the relationship of SPI and keys -- unfortunately this
is a relationship that has to be established manually or by some other
trusted PKI framework.&nbsp;&nbsp; Another unfortunate reality is that
there are no standards for PKI frameworks to which SLP protocol implementors
can write nor are there any standard for manual configuration.&nbsp;&nbsp;
The result is that none of the secure SLPv2 security implementations are
interoperable from a security configuration or management standpoint.&nbsp;
With out security configuration and management standards, software developers
have a difficult time writing management software and System administrators
are stuck with the prospect of having to manually configure key distibution
and SPI configuration.
<p>Finally, very little information is given in RFC 2608 or in RFC 2614
(especially) to educates developers of SLP software about the subelties
of SLP security and how SLP must be used in order to be secure.&nbsp; It
turns out that there many things that developers can do to write software
that is resistant to SLP related attacks that do not require use of SLPv2
protocol security features.&nbsp;&nbsp; As discussed later in this document,
it may be possible for educated developers to write acceptibly secure SLP
enabled software that does not require any security configuration or management
overhead.
<h3>
Limiting SLP Security Requirements</h3>
Most Internet security problems are approached with the assumption that
no one is trustworthy and that no one is trackable or accountable.&nbsp;
This is probably not an appropriate approach to SLP security because SLP
is not intended for the Internet.
<blockquote><tt>SLP is intended to function within networks under cooperative&nbsp;
administrative control.&nbsp; Such networks permit a policy to be&nbsp;
implemented regarding security, multicast routing and organization of services
and clients into goups which are not be feasible on the scale of the Internet
as a whole. -- RFC 2608 (section 1.1 Applicability Statement)</tt></blockquote>
In approaching the SLP security problem, one should continue to assume
that no one is trustworthy, however, it SHOULD NOT be assumed that no one
is accountable or trackable.&nbsp; In fact, in "networks under cooperative
administrative control" it is very easy track and confront individuals
that corrupt otherwise insecure systems as long as it can be identified
that a corruption has been attempted or has occured.&nbsp; Because they
can be held accountable, fear of consequences keep otherwise untrustworthy
individuals in line.
<p>SLPv2 security as described by RFC 2608 supplies, at the protocol level
, everything that is needed to ensure that service location information
was sent by a trusted entity (authentication) and that the information
was not changed in
<br>transit (integrity).&nbsp; At the application level, this means that
an application developer (probably using the SLP API) can trust *all* SLP
delivered information.&nbsp;&nbsp; This allows the developer to be more
relaxed about how service specific communication is performed.
<p>Blind trust of SLP deliverd information (URLs, etc) is especially significant
in common situations where confidential information (username and password)
are exchanged with an entity authenticated only by the fact that it was
<br>located via secure SLP.&nbsp; For example, LDAP enabled software uses
SLP to locate an LDAP directory.&nbsp; If SLP information is secure, the
username and password to establish a connection with the LDAP directory
can be sent with out having to use any other method to establish the identity
of LDAP directory.&nbsp; However, with LDAP (and many other protocols)&nbsp;
is is now possible to establish the identity of both the "server" and "client"
nodes without trusting the service location method.&nbsp;&nbsp;&nbsp; In
fact, for any SSL or equivilant transport it is crucial to cyptographically
establish the identity of the "other side" in a way that is seperate from
the URL that was used to initiate the connection.&nbsp;&nbsp;
<p>As expressed in <a href="broken_link.html">SLPv2 Security - Is it worth
the pain</a> ,&nbsp; SLPv2 security does not really do much protect confidential
data and resources unless the service-specific protocols are secure.&nbsp;&nbsp;
Why would it be useful to have a secure location mechanism if protocol
being use to actually control confidential data and resources can be easilly
compromised?&nbsp;&nbsp; If&nbsp; SLP&nbsp;security is not interest to
anyone unless they use SLP&nbsp;in conjunction with some other secure protocol.&nbsp;
then SLP&nbsp;security is only valuable if it can be used without disrupting
the operation already secure software.
<br>&nbsp;
<h3>
Security by Fear</h3>
&nbsp;
<p>&nbsp;
<p>Under heavy attack, secure software ultimately has one alternative,
it can stop working rather than give access to confidental data and resources.&nbsp;&nbsp;
Ignoring requests for services turns out to be only alternata
<p>Continuing the LDAP example from above, it is possible to write a secure
LDAP enabled "client" application that uses "insecure" SLP to discover
the LDAP server.&nbsp; The client would locate URLs for *all* LDAP services
using SLP.
<br>The client would try to establish an SSL connection with each of the
discovered LDAP servers until an LDAP server that comes to an LDAP server
that is trusted.&nbsp; If SLP finds an LDAP servers that is not trusted
it should
<br>display a warning message (thus helping to track down the rogue or
misconfigured LDAP server).&nbsp; In this example above there is one no
chance for security compromise in the LDAP application due to it's use
of SLP.&nbsp; There is, however a chance that&nbsp; "suppresion attacks"
could burdon the application.
<br>&nbsp;
<h3>
SLP Security Attacks</h3>
As mentioned in the previous section, the use of secure service specific
protocols/frameworks in an environment "under cooperative administrative
control" greatly reduces the scope of the SLP security problem.&nbsp;&nbsp;
Instead of having to ensure that every bit of SLP information is delivered
with authenticity and integrity, it could be argued that SLP only has to
worry about a those portions SLP delivered information that can be subverted
with out alerting the system administrator.&nbsp; However, since the system
administrators can't be expected to be constantly vigilant or timely in
their response to alerts, it is also important that SLP&nbsp;enabled software
be still be written in a way that does not compromize confidental data
or resources when under attack.
<p>Since SLP controlled information is publically available, most SLP security
attacks are calculated to compromize information and resources controlled
by service-specific protocols than information that is controlled by SLP
itself.&nbsp; There are two categories of SLP attack: impersonation attacks,
and disruption attacks.&nbsp;&nbsp; Impersonation attacks involve manipulation
of SLP in order trick SLP enabled software into using rogue service.&nbsp;&nbsp;
The ultimate goal of impersonation attacks is to obtain confidential information.&nbsp;&nbsp;
Disruption attacks involve manipulations of SLP in order to disrupt or
halt normal operation of SLP enabled software with the ultimate goal of
making life hard for the system adminstrator.
<p>If SLP enabled software uses secure service-specific protocols, impersonation
attacks have almost no chance of being successful.&nbsp; SLP related disruption
attacks, on the other hand, have a very good chance of being successful.&nbsp;
The following table is a list of disruption attacks that could be directed
at SLP enabled software:
<br>&nbsp;
<table BORDER WIDTH="100%" NOSAVE >
<tr NOSAVE>
<td NOSAVE><b>Attack</b></td>

<td><b>Description</b></td>
</tr>

<tr>
<td>Unauthorized Directory Agent</td>

<td>An unauthorized directory agent could be installed on the network with
the intention of sending incorrect information to UAs.&nbsp;&nbsp; A malicious
DA could disrupt the operation of SLP enabled applications by returning
unauthorized service URLs, by returning unauthorized attributes, or by
simply not returning any results at all.&nbsp; Since UAs are required to
use a DA if it exists, it is possible that it might attach to the unauthorized