Environment Variables and Attacks Flashcards

Flashcards covering topics of Environment Variables and Attacks discussed in the lecture notes.

Environment Variables

A set of named-value pairs stored inside each process’s memory, part of the operating environment in which a process runs, and can be set by users before a program runs.

Opportunity Created by Environment Variables

A variable that can be used to affect programs' behaviors, especially dangerous for privileged programs, such as the PATH variable.

Accessing Environment Variables in Programs

Functions like getenv(var_name), putenv(), setenv(), and unset() are used.

How Processes Obtain Environment Variables

A child process inherits its parent's variables via fork(), and a process running a new program loses old variables unless execve() is specially invoked to pass them.

Memory Location for Environment Variables

They are stored on the stack of a process's memory before main() is invoked.

Shell Variables

Internal variables used by a shell program; different from environment variables, which are copied into shell variables upon a shell program's start.

/proc File System

A virtual file system in Linux containing directories for each process (named by process ID), with each directory having an 'environ' file containing the process's environment variables.

Attack Surface of Environment Variables

Users can set environment variables, making them a part of the attack surface, especially on Set-UID programs.

Linker and Environment Variables

Linkers use environment variables to find libraries, creating opportunities for attackers to inject malicious libraries, especially during dynamic linking.

Dynamic Linking

Uses environment variables, representing a part of the attack surface that can be exploited.

Dynamic Linker Risks (LDPRELOAD, LDLIBRARY_PATH)

LDPRELOAD contains a list of shared libraries searched first by the linker, while LDLIBRARY_PATH specifies other folders; both can be manipulated by users to control linking outcomes.

Attack Surface Expansion via External Programs

A program may invoke external programs, inheriting the calling process’s privileges; if the external program uses environment variables, it expands the attack surface.

Attack Surface: PATH Variable

Shell programs rely on the PATH variable to locate commands, making it susceptible to manipulation by attackers.

Attack Surface: Library Functions

Environment variables used by library functions can become part of the attack surface if these functions are invoked by privileged programs.

Locale in UNIX

LANG, LANGUAGE, NLSPATH, LOCPATH, LCALL, LCMESSAGES are used by this subsystem that can be controlled by users to manipulate translated messages.

Attack Surface: Application Code

Developers make incorrect assumptions about environment variables, leading to inadequate sanitization and potential security flaws.

Set-UID vs. Service Approach

Normal users run a special program to gain root privileges temporarily, whereas in the service approach, normal users request a privileged service to perform actions for them.

Attack Surface Comparison Between Set-UID and Service Approaches

The first has a broad attack surface due to untrusted environment variables, while the second is safer but still subject to other attack surfaces.