01 Intro Thompson

7/29/2019 01 Intro Thompson

1/44

Computer andNetwork Security

Dan Boneh and John Mitchell

CS 155 Spring 2013

https://courseware.stanford.edu/pg/courses/CS155


2/44

Whats this course about?

Intro to computer and network security

Some challenging fun projects Learn about attacks

Learn about preventing attacksLectures on related topics Application and operating system security

Web security

Network security, Mobile app security

Not a course on cryptography (take CS255!)


3/44

Organization (subject to change)Application and OS security (5 lectures)

Buffer overflow project Vulnerabilities: control hijacking attacks, fuzzing Prevention: System design, robust coding, isolation

Web security (4 lectures) Web site attack and defenses project Browser policies, session mgmt, user authentication HTTPS and web application security

Network security (6 lectures) Network traceroute and packet filtering project Protocol designs, vulnerabilities, prevention Malware, botnets, DDoS, network security testing

A few other topics Cryptography (user perspective), digital rights management,

final guest lecture,


4/44

General course info (see web)

Prerequisite: Operating systems (CS140)

Textbook: none reading online

Coursework

3 projects, 2 homeworks, final exam

grade: 0.25 H + 0.5 P + 0.25 F

Teaching assistants

Occasional optional section Introduction to project assignments


5/44


6/44

SECURITY CONCEPTS


7/44

What is security?

System correctness

If user supplies expected input, system generatesdesired output

Security If attacker supplies unexpected input, system does

not fail in certain ways


8/44

What is security?

System correctness

Good input Good output

Security

Bad input Bad output


9/44

What is security?

System correctness

More features: better

Security

More features: can be worse


10/44

Security properties

Confidentiality

Information about system or its users cannot belearned by an attacker

Integrity The system continues to operate properly, only

reaching states that would occur if there were noattacker

Availability Actions by an attacker do not prevent users from

having access to use of the system


11/44

System

AttackerAlice

General picture

Security is about

Honest user (e.g., Alice, Bob, ) Dishonest Attacker

How the Attacker

Disrupts honest users use of the system (Integrity, Availability)

Learns information intended for Alice only (Confidentiality)


12/44

Network Attacker

Intercepts andcontrols networkcommunication

Alice

System

Network security


13/44

Web Attacker

Sets up malicioussite visited by

victim; no controlof network

Alice

System

Web security


14/44

OS Attacker

Controls maliciousfiles and

applications

Alice

Operating system security


15/44

System

AttackerAlice

Confidentiality:Attacker does not learn Alices secrets

Integrity:Attacker does not undetectably corrupt systems function for Alice

Availability:Attacker does not keep system from being useful to Alice


16/44

TRENDS AND STATISTICS


17/44

The computer security problem

Lots of buggy software (and gullible users)

Money can be made from finding andexploiting vulnerabilities.

Marketplace for vulnerabilities

Marketplace for owned machines (PPI)

Many methods to profit from owned client machines


18/44


19/44

Reported Web Vulnerabilities "In the Wild"

Data from aggregator and validator of NVD-reported vulnerabilities


20/44

Web vs System vulnerabilities

Decline in % web vulns since 2009

49% in 2010 -> 37% in 2011.

Big decline in SQL Injection vulnerabilities

XSS peak


21/44

Mobile Operating SystemsMobile OS Vulnerabilities Mobile OS Exploits

Source: IBM X-Force, Mar 2011


22/44

Phishing?


23/44

Bot networks

Continue to be major problem (e.g., Spam)


24/44

THE MARKETPLACE FORVULNERABILITIES


25/44

Marketplace for Vulnerabilities

Option 1: bug bounty programs

Google Vulnerability Reward Program: 3K $

Mozilla Bug Bounty program: 500$

Pwn2Own competition: 15K $

Option 2:

ZDI, iDefense: 2K 25K $


26/44

Marketplace for Vulnerabilities

Option 3: black market

Source: Charlie Miller (securityevaluators.com/files/papers/0daymarket.pdf)


27/44

Marketplace for owned machines

Pay-per-install (PPI) services

Own victims machine Download and install clients code

Charge client

Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf)

spambot

keyloggerclients

PPIservice

Victims

Cost:

US 100-180$ / 1000 machinesAsia 7-8$ / 1000 machines


28/44

ATTACKER GOALS, EXAMPLES


29/44

The computer security problem

Lots of buggy software (and gullible users)

Money can be made from finding andexploiting vulnerabilities.

Marketplace for vulnerabilities

Marketplace for owned machines (PPI)

Many methods to profit from owned client machines

Wh hi


30/44

Why own machines:IP address and bandwidth stealing

Attackers goal: look like a random Internet user

Use the infected machines IP address for:

Spam (e.g. the storm botnet)

Spamalytics: 1:12M pharma spams leads to purchase1:260K greeting card spams leads to infection

Denial of Service:

Services: 1 hour (20$), 24 hours (100$)

Click fraud (e.g. Clickbot.a)


31/44

Why own machines:Steal user credentials

keylog for banking passwords, web passwords,gaming pwds

Example: SilentBanker (2007)

Bank

Malware injectsJavascript

Bank sends loginpage needed to login

When user submitsinformation, also sentto attacker

User requests login page

Similar mechanism usedby Zeus botnet


32/44

Why own machines:Spread to isolated systems

Example: Stuxtnet

Windows infection

Siemens PCS 7 SCADA control software on Windows

Siemens device controller on isolated network

More on this later in course


33/44

Drive-by Downloads


34/44

Web attack toolkit: MPack

Basic setup Toolkit hosted on web server Infects pages on that server Page visitors get infected

Features Customized: determines

exploit on the fly, based onusers OS, browser, etc

Easy to use: managementconsole provides stats oninfection rates

Customer care toolkit can bepurchased with one-yearsupport contract!


35/44

Insider attacks: example

Hidden trap door in Linux (nov 2003)

Allows attacker to take over a computer

Practically undetectable change (uncovered via CVSlogs)

Inserted line in wait4()

Looks like a standard error check, but

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

retval = -EINVAL;

See: http://lwn.net/Articles/57135/


36/44

WHAT CAN YOU TRUST?


37/44

Ken Thompson

What code can we trust?

Consider "login" or "su" in Unix

Is RedHat binary reliable?

Does it send your passwd to someone?Can't trust binary so check source, recompile

Read source code or write your own

Does this solve problem?

Reflections on Trusting Trust, http://www.acm.org/classics/sep95/


38/44

Compiler backdoor

This is the basis of Thompson's attack

Compiler looks for source code that looks like loginprogram

If found, insert login backdoor (allow special userto log in)

How do we solve this?

Inspect the compiler source


39/44

C compiler is written in C

Change compiler source S

compiler(S) {

if (match(S, "login-pattern")) {

compile (login-backdoor)

return

}

if (match(S, "compiler-pattern")) {

compile (compiler-backdoor)

return}

.... /* compile as usual */

}


40/44

Clever trick to avoid detection

Compile this compiler and delete backdoor tests fromsource

Someone can compile standard compiler source to get newcompiler, then compile login, and get login with backdoor

Simplest approach will only work once Compiling the compiler twice might lose the backdoor

But can making code for compiler backdoor output itself

(Can you write a program that prints itself? Recursion thm)

Read Thompson's article Short, but requires thought


41/44

CONCLUDING


42/44

Ethical use of security information

We discuss vulnerabilities and attacks

Most vulnerabilities have been fixed

Some attacks may still cause harm

Do not try these at home or anyplace elsePurpose of this class

Learn to prevent malicious attacks

Use knowledge for good purposes


43/44

If you remember only one thing from this course:

A vulnerability that is

too complicated for anyone to ever find

will be found and exploited !

We hope you remember more than one thing


44/44

Documents

01 Intro Thompson