Although there is no reasonable way that all security
problems can be solved on any arbitrary system,
administrators and systems programmers
can be assisted by a software security tool.
COPS is an attempt to address as many potential security
problems as possible in an efficient, portable, and above all, in a
reliable and safe way. The main goal of COPS is one of prevention;
it tries to anticipate and eliminate security problems by
detecting problems and denying enemies an opportunity to
compromise security in the first place.
The potential security hazards that COPS checks for were selected
from readings of a variety of security papers and books (see the
references section at the end of the paper), from
interviews with experienced system administrators, and
from reports of actual system breakins.
We applied the following important guiding principles to the
design and development of COPS:
- COPS should be configurable so that new tools could be added or
the existing tools altered to meet the security needs of the
installation on which it is run. Since UNIX is so dynamic, it
must be possible to incorporate both new tools and methods in COPS as the need
for them becomes apparent.
- COPS should contain no
tool that attempts to fix any security problems that are discovered.
Because COPS makes no modifications to the system, it is not required that
it be run with any particular privilege, and many of the tools
can be run with privilege less than or equal to that of a regular user.
As a result, this lessens the temptation for an intruder to modify
the code in an attempt to make surreptitious changes to the system.
- While COPS should notify the administrator that there may be a
weakness, it does not describe why this is a problem or how to exploit
it. Such descriptions should be found in alternative sources that are not
embedded in the program. Thus, a determined attacker might run
the program, might be able to read the output, but be unaware of a
method to exploit anything that COPS reports it has found.
- COPS should not include any tools whose use by determined
attackers, either standalone or as part of the COPS system, would give them
a significant advantage at finding a way to break into the system
beyond what they might already have in their possession. Thus, a
password checking tool, as was previously described, is
included, but the algorithm utilized is simply what is already present in
the system library of the target system.
- COPS should consist of tools and methods that are simple to read,
understand, and to utilize. By creating the tools in such a manner, any
system administrator can read and understand the system. Not only does this
make it easier to modify the system for particular site
needs, but it allows reexamination of the code at any time to ensure
the absence of any Trojan horse or logic bomb.
- The system should not require a security clearance, export license,
execution of a software
license, or other restriction on use. For maximum effectiveness, the
system should be widely circulated and freely available. At the same
time, users making site-specific enhancements or including proprietary
code for local software should not be forced to disclose their
changes.
Thus, COPS is built from new code without licensing restrictions or
onerous ``copyleft,'' and bears no restriction on distribution or use
beyond preventing it from being sold as a commercial product.
- COPS should be be written to be portable to as wide a variety of
UNIX systems as possible, with little or no modification.
In order to maximize portability, flexibility, and readability, the
programs that make up COPS are written as simple Bourne shell scripts
using common commands (awk, sed,
etc.), and when
necessary, small, heavily-commented C programs.