|
A HUGE shout out to the SLC2600/DCG801 for working on this project with me. If you haven't visited their site, get your ass over there, NOW! Synopsis: The goal of Prometheus is to create an Open Source project that takes into account the inherent flaws in the Microsoft implementation of Alternate Data Streams (ADS) and uses those attributes to create a tool for increased security. The concept is similar to making lemonade from lemons. We're taking an insecure component of the NTFS file system and creating a tool that will provide increased security. History: The problem dates back to Apple's implementation of resource forks. Each file within the Apple file system did not need file extensions for the system to recognize the type of file that was being utilized. This is due to the fact that these files actually consisted of two separate forks of information; one resource fork and another data fork. Think of these forks as the same thing as data streams under Microsoft NTFS. The resource fork told the Mac OS what type of file was being clicked on so that it could load the appropriate application, whereas the data fork provided the actual data. In the beginning of the Microsoft NT based operating systems, MS tried very hard to ensure that the OS could communicate and share files with the Apple platforms. The first piece of this was to ensure that Windows could speak Appletalk. The second piece was to the actual action of sharing files. Unfortunately, Microsoft could take files from a Mac based system, but it only took the data fork, thus the Windows OS had no idea what type of file was now on the system. To counter this issue, MS created Alternate Data Streams. This allows NTFS file systems to share multi stream files with other operating systems. The Problem: Microsoft has created a decent platform for sharing files with Mac operating systems, but it has also opened the door to numerous potential insecurities. Windows operating systems do no currently ship with tool installed for listing or detecting ADS. This presents a problem since anyone can attach a new stream to any file on the system. This is even more of an issue when you consider that this can be done to system files that most administrators believe are safe based on permission settings. The problem isn't new and has been written about for years. I actually wrote an article telling of the potential vulnerabilities of ADS back in 1999. In 2000, the W2k.Stream virus hit the Internet hard and what most administrators and normal users aren't aware of is the fact that this virus hid itself as an ADS inside Windows system files. There are numerous Trojans and viruses that use this technology today and even more nefarious activities, such as child pornography and terrorist activities are believed to be using this technology, as well. Another catch is that files moves across an NTFS file system will maintain their alternate data streams. Information within these files can only be removed if the user already knows the name of the stream in question, but provides a great way for hiding information. Project Description: Prometheus has multiple levels of implementation and will require project management from various volunteers across the Open Source community. This tool simply can not be created by a single individual, in a short period of time, while still maintaining the legitimacy of the project. There are currently tools available that allow for listing of ADS in the NTFS environment, but there are currently no known tools that grab a file off of the file system and still retain all of the extraneous data streams attached to that file. For instance, Winzip does not have the capability to do this, nor do email programs or ftp clients. These applications grab the primary instance of data and ignore the extra streams of data attached to a particular file handle. Phase 1 consists of building a tool that can both find and create Alternate Data Streams within the NTFS file system. This tool should be easy to use, easy to install, and resource friendly. The big catch with Phase 1 is that the tool needs to have a means for picking up the extra data streams attached to each file and encapsulating the entire package for transfer across a normal TCP/IP based network. Phase 2 of the project will take this one step further by allowing these streams to be encrypted prior to insertion as a stream. Now, even if we have the ability to locate the various streams on a file system, we can't open the data without the appropriate key. In addition, the software itself is protected by a password. Phase 3 is the crux of Prometheus and will hopefully provide a mature product. At this stage, we want to take a file intended to be inserted into an ADS and break it into pieces. Each piece is then stored in a separate stream. The pieces can only be realigned and put back together if the user has the correct key. I call this SADs, or Secure Alternate Data Streams. At this point, even if each stream is detected, only the software know for certain what order those streams must be reassembled and this information is stored in an encrypted database file. To Do List: " Determine is an adequate API currently exists for implementation of this process into the MS ADS structure. " Determine what interest level exists in the community for creating this tool " Determine what programming language is best utilized for this project " Determine plausibility of creating a *nix based client that can remove the Prometheus streams. " Determine the plausibility of using Apple's architecture to create a port of Prometheus. Can Mac OS X or Mac OS 9x handle multiple forks of data or are we locked into the two that have already been defined? Copyright 2004, Russ Rogers and SecurityTribe.com -Russ Rogers vertigo |