php security on i5/os

37
helping business manage the security equation™ I5/OS Security in a PHP World Patrick Botz VP, Security Consulting Group8 Security, Inc. www.group8security.com

Upload: zendcon

Post on 13-May-2015

6.665 views

Category:

Technology


3 download

DESCRIPTION

PHP is rapidly becoming - if not already - the defacto-standard for Web application development and deployment. Writing PHP applications that accurately enforce your security policies requires knowledge of the general architecture of PHP as well as the i5/OS specific components of the architecture.

TRANSCRIPT

Page 1: PHP Security on i5/OS

helping business manage the security equation™

I5/OS Securityin a PHP World

Patrick BotzVP, Security ConsultingGroup8 Security, Inc.

www.group8security.com

Page 2: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Agenda

• What to Protect• Implementation• PHP Resources• Native Resources

• How to Protect

• Architecture

• Web Server

• PHP Core Components

• Native Resources

• IFS

i5/OS Security in a PHP World

Page 3: PHP Security on i5/OS

helping business manage the security equation™

What to Protect

Page 4: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

PHP Just Another Interface

Non-PHP Specific Information Assets

PHP

I5/OSODBC FTP

TelnetEtc…

i5/OS Security in a PHP World

Page 5: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Food For Thought

PHP is another interface to i5/OS – Just like ODBC, FTP, and Telnet are interfaces to i5/OS!

i5/OS resources need to be protected properly independent of PHP

No “exit points” for PHP

Limited capabilities do not apply!

Exclusionary Access Control (EAM) Required Normal user profiles NOT allowed to access data directly e.g. PUBLIC *EXCLUDE

i5/OS PHP architecture lends itself towards easy implementation in (EAM environment)

Page 6: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Native i5/OS

PASE (AIX)

i5/OS PHP Architecture

Apache Web

Server

Apache Web

Server

PHP Core Engine

i5os_*()

db2_*() Native Database

Native Resources

PHP AdminTools

1

2

34

5

6

7

IFS

5 I5_COMD Process

Remote Database

8

i5/OS Security in a PHP World

Page 7: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

What to Protect

ALL Information Assets on System!Not just PHP resources

PHP Implementation (PHP components, directories, stream files, programs, libraries, objects, user profiles)

External Access Point(s)

Focus on Seams!!! (i.e. white arrows)

i5/OS Security in a PHP World

Page 8: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

From Whom to Protect

Bad GuysBad Guys(gender neutral)(gender neutral) on on InternetInternet

Bad GuysBad Guys(gender neutral)(gender neutral) on on IntranetIntranet

i5/OS Security in a PHP World

Page 9: PHP Security on i5/OS

helping business manage the security equation™

Protecting the PHP Implementation/Environment

Page 10: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Native i5/OS

PASE (AIX)

i5/OS PHP Architecture

Apache Web

Server

Apache Web

Server

PHP Core Engine

i5os_*()

db2_*() Native Database

Native Resources

PHP AdminTools

1

2

34

5

6

7

IFS

5 I5_COMD Process

Remote Database

8

i5/OS Security in a PHP World

ZendcoreZendcore

/usr/local/zend/usr/local/zend/www.zendcore/www.zendcore

NOBODYNOBODY NOGROUPNOGROUP

ZENDADMINZENDADMINZENDTECHZENDTECH

PHPWEBUSRPHPWEBUSR

PUBLIC *EXCLUDEPUBLIC *EXCLUDE

Access Rights

Execution Rights

Page 11: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

User Profiles With Distribution

NOBODY NOBODY PHP Apache Web server ZEND core jobs (ZENDCOREAP)Group = NOGROUPSpecial authorities = *NONE

ZENDADMINZENDADMINStart/stop jobs in ZEND subsystemPseudo number random generator for encryption related servicesGROUP = *NONE*ALL special authorities.

ZENDTECH ZENDTECH Update PHP configurationGROUP = *NONE Special authorities = *NONE

NOGROUPNOGROUPIs a GROUP profileUse this profile to grant access – not “NOBODY” user profile

NOTE: PASE UserIDs Equivalent to i5/OS User Profiles

i5/OS Security in a PHP World

Page 12: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

User Profile to Consider

PHPWEBUSRPHPWEBUSR

Configure native Apache Web server to run under a dedicated user profileSpecial Authorities = *NONEGroup = *NONE

i5/OS Security in a PHP World

Page 13: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Native i5/OS

PASE (AIX)

i5/OS PHP Architecture

Apache Web

Server

Apache Web

Server

PHP Core Engine

i5os_*()

db2_*() Native Database

Native Resources

PHP AdminTools

1

2

34

5

6

7

IFS

5 I5_COMD Process

Remote Database

8

i5/OS Security in a PHP World

ZendcoreZendcore

/usr/local/zend/usr/local/zend/www/zendcore/www/zendcore

Page 14: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

/www/zendcore /www/zendcore/*

Contains the i5/OS Web server configuration files and application resources.

Access Control ObjectivePUBLIC *EXCLUDE

/www/zendcore/www/zendcore/*

PUBLIC *X or *USE/www*EXCLUDE if no other web apps or other web apps permit

i5/OS Web server user profile may need *R (i.e. “r—”) to same directories

i5/OS Security in a PHP World

Page 15: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

/usr/local/zend /usr/local/zend/*

Contains the PHP Web server and PHP core config files and application resources.

Access Control ObjectivePrevent anyone other than PHP administrators from accessing (not to mention changing) configuration files/resources

PUBLIC *EXCLUDE /usr/local/zend/usr/local/zend/*

PUBLIC *USE/usr/usr/local

i5/OS Security in a PHP World

Page 16: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

ZENDCORE Library/Objects

Contains administrative tools/functionsConfigureStart/Stop

Access control objectivePrevent anyone other than PHP administrators from Protect PROGRAMS that adopt QSECOFR

PUBLIC = *EXCLUDE

Consider using ZENDADMIN and ZENDTECH as group profilesPHP administrator profiles should be a member of one or the other.

i5/OS Security in a PHP World

Page 17: PHP Security on i5/OS

helping business manage the security equation™

Configure Web Server Security

Page 18: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Native i5/OS

PASE (AIX)

i5/OS PHP Architecture

Apache Web

Server

Apache Web

Server

PHP Core Engine

i5os_*()

db2_*() Native Database

Native Resources

PHP AdminTools

1

2

34

5

6

7

IFS

5 I5_COMD Process

Remote Database

8

i5/OS Security in a PHP World

Page 19: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Web Server Security

Native I5/OS Web server acts as “mirror” for PHP Web serverNative I5/OS Web server acts as “mirror” for PHP Web server• Port 89• All requests to i5/OS server changed to requests to PHP server• All responses from PHP server changed to responses from i5/OS server

PHP Web serverPHP Web server• Localhost (127.0.0.1)• Port 8000

RecommendationsRecommendations• Use reverse proxy in your DMZ• Buffer Overflow Considerations• Use SSL Connections• Run i5/OS Web server under “dedicated” user profile (e.g.. PHPWEBUSR)

i5/OS Security in a PHP World

Page 20: PHP Security on i5/OS

helping business manage the security equation™

Programming Practices

Page 21: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Native i5/OS

PASE (AIX)

i5/OS PHP Architecture

Apache Web

Server

Apache Web

Server

PHP Core Engine

i5os_*()

db2_*() Native Database

Native Resources

PHP AdminTools

1

2

34

5

6

7

IFS

5 I5_COMD Process

Remote Database

8

i5/OS Security in a PHP World

Page 22: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Programming Practices

i5_*() APIsConnection managementCommand calls*Program calls*Data retrieval*Native file access*System values*Data areasPrint and working with spool filesJob logsActive jobsObject listUser spaceData queue

db2_*() APIsServer/ConnectionResultCommit/RollbackFetchField InformationKey InformationStatementErrorsColumn/ProcedureTable Information

i5/OS Security in a PHP World

If you run with PUBLIC *USE or *ALL, you make it SIGNIFICANTLY easier for If you run with PUBLIC *USE or *ALL, you make it SIGNIFICANTLY easier for an internal or external attacker to directly and indirectly access sensitive data!an internal or external attacker to directly and indirectly access sensitive data!

Page 23: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

PHP Program File Management

Exclusionary access control only viable model!Exclusionary access control only viable model! PUBLIC = EXCLUDE, or other = “---” For everything related to PHP! Give nobody or other service user profile read or write where necessary

Put PHP scripts/programs for separate functions in separate directoriesPut PHP scripts/programs for separate functions in separate directories E.g. /www/php/pgm1, /www/php/pgm2, /www/pgm3, /www/pgm/common

i5/OS Security in a PHP World

Page 24: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Programming Practices

i5_connect() API. resource i5_connect(string server, string user, string password[, array options]).

Return Values: i5/OS connection resource or false on failure.

Arguments:server - Name of the server to connect to. Can be either a symbolic name or an IP.

Note: The system name can only be localhost or 127.0.0.1.

user - Username to use for connecting.Note: If no user or password is provided, the connection will be established

under NOBODY user profile.Note: Username QSECOFR cannot be used in this function.

password - Password for the usernameoptions – Miscellaneous connection options.

i5/OS Security in a PHP World

Page 25: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Programming Practices

Change i5cmd process to run under supplied user profile for this Change i5cmd process to run under supplied user profile for this connectionconnection

i5_adopt_authority() APIi5_adopt_authority() APIbool i5_adopt_authority(string username, string password, [resource connection]).Return Values:

Boolean success value.Arguments:

username - Name of the user to change topassword - Password for the userconnection - Connection - result of i5_connect

i5/OS Security in a PHP World

Page 26: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Protecting Database Files

db2_connect("","","")Connects to the database on the PHP host system as user profile *NOBODY.Note: When no userID/password provided, connection runs in the same process/job

as PHP core!Otherwise the connection runs in a separate pre-started job.

db2_connect("*LOCAL","SOMEUSER","PASSWORD")Connects to database on system on which PHP core engine is running as user profile SOMEUSER.

db2_connect("10.1.2.15","SOMEUSER","PASSWORD")Connects to remote database at 10.1.2.15 as user profile SOMEUSER.

i5/OS Security in a PHP World

Page 27: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Protecting Database Files

db2_connect("","","")resource i5_connect(string server, string user, string password[, array options]).Return Values: i5/OS connection resource or false on failure.Arguments:server - Name of the server to connect to. This can be either a symbolic name or an IP.

Note: The system name can only be localhost or 127.0.0.1.

user - Username to use for connecting.Note: If no user or password is provided, the connection will be established under

NOBODY user profile.Note: Username QSECOFR cannot be used in this function.

password - Password for the usernameoptions - Connection options

i5/OS Security in a PHP World

Page 28: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Protecting Database Files

resource db2_exec ( resource connection, string statement [, array options]Return values:Statement resource if the SQL statement was issued successfully, orFALSE if the database failed to execute the SQL statement.

Arguments:connection

A valid database connection resource variable as returned from db2_connect() or db2_pconnect().

statementstatementAn SQL statement. The statement cannot contain any parameter markers.

options

i5/OS Security in a PHP World

Page 29: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Protecting Database Files

Protect against SQL Injection Attacks!!!!!

Statement Statement parameter – most important parameter to validate!!!! An SQL statement. The statement cannot contain any parameter markers.

InsteadInstead of db2_exec()

Use db2_prepare() db2_prepare() with db2_bind_parm ()db2_bind_parm () and db2_execute()db2_execute()

i5/OS Security in a PHP World

Page 30: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Protecting Database Files

db2_prepare() APIThis API creates a prepared SQL statement which can include parameter markers (?

characters). resource db2_prepare ( resource connection, string statement [, array options] )Result value:

Returns a statement resource used as input to the db2_execute() and db2_bind_param() APIs.

Arguments:Connection

A valid database connection resource variable as returned from db2_connect() or db2_pconnect().

StatementAn SQL statement, optionally containing one or more parameter markers.

options

i5/OS Security in a PHP World

Page 31: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Parameter Validation

Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!

Do ROBUST parameter validation in your PHP code!

Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!

Do ROBUST parameter validation in your PHP code!

Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!

Do ROBUST parameter validation in your PHP code!

Do ROBUST parameter validation in your PHP code!Do ROBUST parameter validation in your PHP code!

i5/OS Security in a PHP World

Page 32: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Parameter Validation Examples

A (very) Few Examples of Parameter ValidationA (very) Few Examples of Parameter Validation

Password variables>= QPWDMINLEN<= QPWDMAXLEN

UserID names<= 10 charactersNo special characters

SQL Search TextDoes not include ANY special characters or SQL operators

i5/OS Security in a PHP World

Page 33: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Parameter Validation Examples

A (very) Few Examples of Parameter Validation (cont.)A (very) Few Examples of Parameter Validation (cont.)

Miscellaneous variablesMiscellaneous variablesReasonable lengths for pathnamesReasonable parent directory pathnames for file specificationsSelected item from list is a member of selection list provided

Avoid text input fields when/wherever possible!Avoid text input fields when/wherever possible!Use selection lists instead

Avoid asking end-user for userID/passwordAvoid asking end-user for userID/passwordRun under NOBODYConsider hardcoded userID and looking up password (VLDL entry?)

i5/OS Security in a PHP World

Page 34: PHP Security on i5/OS

helping business manage the security equation™

Summary

Page 35: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

Summary

Like other external interfaces (e.g.. ODBC, FTP, Telnet, TFTP, etc.) to Like other external interfaces (e.g.. ODBC, FTP, Telnet, TFTP, etc.) to i5/OS, the PHP implementation and usage needs to be protected in order i5/OS, the PHP implementation and usage needs to be protected in order to protect: to protect:

Information resources associated with PHP applications Information resources associated with other non-PHP applications on the same

system

ProtectProtect ZENDCORE Library /www/zendcore /usr/local/zend PHP application directories

Use exclusionary access control model on your whole systemUse exclusionary access control model on your whole system

Use smart programming practices to prevent exposuresUse smart programming practices to prevent exposures

PHP Security for i5/OS

Page 36: PHP Security on i5/OS

© 2008 Group8 Security, Inc. All Rights Reserved. www.group8security.comhelping business manage the security equation™

The following terms and marks are trademarks of Group8 Security, Inc.:

Security=f(cost,risk)Managing the Security EquationHelping Business Manage the Security Equation

Other company, brand and product names are trademarks or registered trademarks of their respective holders.

Information is provided “AS IS” without warranty of any kind. All examples described are presented as illustrations of how customers have used Group8 recommendations, products or services and are the results they may have achieved. Actual results may vary by customer. Information concerning non-Group8 products or services was obtained from a supplier of these products, published announcement materials, or other publicly available sources and does not constitute an endorsement of such products by Group8.

Group8 Security, Inc. is an independent company. It does not receive or accept any form of payment for recommending other company’s products. We recommend products of which we are aware and with which we have at least some understanding or experience. We encourage Customers to conduct their own product evaluations and select a product they believe will meet their requirements.

Copyright Group8 Security, Inc. 2007-2008. All rights reserved.

i5/OS Security in a PHP World

Trademark & Disclosure Statements

Page 37: PHP Security on i5/OS

ABOUT GROUP8 SECURITY:

At Group8, we believe that IT security is first and foremost a business issue. It has technical aspects but is not inherently a technical problem. Security is something a company does, not something they have or can buy.

Our mission is to partner with you to help define, implement, and manage your security. We'll do this by helping you establish and manage business processes that lead to sound IT security business decisions. Together we'll define security objectives in terms of business requirements, and make technical decisions based on costs and return on investment as well as the effectiveness of the technical measures employed to enforce business objectives.

Group8 Security, Inc. 4790 Caughlin Pkwy, Suite 398 Reno, NV 89519-0907 Tel: 775-852-8887 www.group8security.com

ABOUT THE SPEAKER:

Pat Botz heads up security consulting for Group8, bringing his extensive experience in system security planning to our customers.

Prior to joining Group8, Pat served as the Lead Security Architect and Team Leader for the IBM, working on some of the most widely used midrange servers is the business world with a focus on authentication, authorization, auditing, and ease of use. Following his work on System i and the IBM Virtualization Engine, Pat founded the IBM Lab Services security consulting practice with a primary focus on helping customers meet various industry regulations such as SOX, PCI DSS, and SAS 70. He additionally worked to help customers improve the effectiveness and efficiency of their current security management processes, assisting them with moving to exclusionary access control models, eliminating passwords in various environments, managing User IDs, implementing encryption, and auditing on various platforms.

Pat is co-author of the book /Expert’s Guide to OS/400 and i5/OS Security/, and has published numerous articles in the trade press and IBM magazines. He is also a noted worldwide security conference speaker, presenting at various conferences and in webcasts including COMMON, IBM Technical Conference, various user groups, St. Cloud State University Security conference, and IBM Business Partner conferences.