Information-Security-Systems - Assignment 3  - Solved

•       You should have already installed and become familiar with the Ubuntu Mate 20.04 Operating System(OS). You can do this either:  

(1)    with dual boot i.e. if you already have an OS such as MS Windows, MAC OS, or another linux distribution, just install Ubuntu Mate 20.04 as a secondary OS, or,

(2)    by installing first a Virtual machine (e.g. the Oracle VM VirtualBox is freely available) in your existing OS, and then within the VirtualBox installing the Ubuntu Mate 20.04, or,

(3)    by installing Ubuntu Mate 20.04 as your primary OS.

•       If you prefer install the Ubuntu 20.04 OS instead of the Ubuntu Mate.

•       You should have already installed the gcc compiler:

sudo apt update 

sudo apt install build-essential 

•       Develop you C code using one of your favorite editors such as gedit, pluma or vi.

 

Access Control Logging
 

For this assignment, you will develop an access control logging system using the C programming language. The access control logging system will monitor and keep track of every file access and modification that occurs in the system. So, each file access or file modification will generate an entry in a log file. This log file will be inspected by a separate high privileged process.  

 

You will use “LD_PRELOAD”, which instructs the linker to bind symbols provided by a shared library before any other library. This way, you will override the C standard library functions that handle file accesses and modifications (fopen, fwrite) with your own versions in order to offer the extra functionality you are requested.

 

Important: The current assignment is required for your next assignment. This means that if you skip the current assignment, to fully implement the next one you will have to implement both. 

 

Step 1: Access Control Logging tool
 

As reported above you are requested to develop a shared library, named “logger.so”, that overrides the C standard I/O library using the LD_PRELOAD. Specifically, your own versions of fopen and fwrite will collect and log the needed information for each file access, before continuing with the standard I/O operation. The log file should be named “file_logging.log”. The log file must be stored somewhere, where it can be accessible by all users. Each log entry should contain the following information:  

1.       UID: The unique user ID assigned by the system to a user (hint: see getuid() function).

2.       File name: The path and name of the accessed file.

3.       Date: The date that the action occurred.

4.       Timestamp: The time that the action occurred.

5.       Access type: For file creation, the access type is 0. For file open, the access type is 1. For file write, the access type is 2.

6.       Is-action-denied flag: This field reports if the action was denied to the user with no access privileges. It is 1 if the action was denied to the user, or 0 otherwise.  

7.       File fingerprint: The digital fingerprint of the file the time the event occurred. This digital fingerprint is the hash value of the file contents (hint: You can use the md5 hash functions: https://www.openssl.org/docs/man1.1.0/man3/MD5_Init.html ).  

Notes

 Each log entry should have all the above 7 fields. In order to find the filepath from FILE*: from the file pointer find the file descriptor, and from the file descriptor find the file name.

 

Events that must be logged:

1.       File creation: Every time a user creates a file, the log file must be updated with information about the creation of the file. Make sure to modify the fopen() function in a way that the creation of a file can be distinguished from the opening of an existing file.  

2.       File opening: Every time a user tries to open a file, the log file must be updated with the corresponding file access attempt information. For this case, fopen() functions need to be intercepted and information about the user and the file access has to be collected.

3.       File modification (write): Every time a user tries to modify a file, the log file will be updated with the corresponding file modification attempt information. This means that fwrite() functions need to be intercepted and information about the user and the file access has to be collected.

Every fopen()/fwrite() function should create a new entry in a log file.  

 

Step 2: Access Control Log Monitoring tool
 

Develop a log monitoring tool, named “acmonitor.c”, which will be responsible for monitoring the logs created by the Access Control Logging tool (Step 1). This log monitoring tool will:

1.       Parse the log file generated in Step 1 and extract all incidents where malicious users[1] tried to access multiple files without having permissions. As an output, the tool should print all users that tried to access more than 7 different files without having permissions i.e. print those users (uids) that tried to access at least 7 different files, without actually having the permissions.

2.       Given a filename, the log monitoring tool should track and report all users that have accessed the specific file. By comparing the digital fingerprints/hash values, the log monitoring tool should check how many times the file was indeed modified. As an output, the log monitoring tool is expected to print a table with the number of times each user has modified it.

note: the creation of a file produces a file fingerprint X1, and writing into this file produces another file fingerprint X2. As “a modification” we consider a transition from X1 to X2.

 

Step 3: Test the Access Control Logging & Log Monitoring tools
 

Develop a simple tool, named “test_aclog.c”, that will be used to test and demonstrate the above tasks. The “test_aclog.c” tool has to create/open/modify files, in a way that will create the conditions that the “acmonitor.c” tool searches for. For instance, you should try to open files without having the permission to do so (see Step 2.1), and modify specific files (see Step 2.2).  

Executing the “test_aclog.c” tool with your custom fopen() and fwrite() functions preloaded, will create the required access control log file entries in “file_logging.log”. Then use the log monitoring tool to get the relevant reports (Step 2).  

 

Tool Specification 
The Access Control Log Monitoring tool (Step 2) will receive the required arguments from the command line upon execution.

Options 

-m 
Prints malicious users
-i <filename> 
Prints table of users that modified the file given, and the number of modifications
-h 
Help message
 


Example
You need to use LD_PRELOAD to instruct the linker to load your implementation of fopen/fwrite before any other library. Example below:  
[1] For this assignment, a “malicious user” is the user that tries to access multiple files without having the permission. For Step 2, when we refer to a “malicious user” we refer to the user that tries to access more than 7 different files without having the permission.