Embed Size (px)
DESCRIPTION
Network Security Lecture 1
Citation preview
1
1
Lec.43 Class Review
• Final reschedule: – Wen. 5/13 12pm-2pm, H389. (bring a jacket)– No objections and 15+ like the new time
– I give you some sample exam questions– Close book and notes, but you can have a Two-page cheat-sheet
» E.g., all attacks and defenses, important definitions, ideas, methods
2
• There are too many topics in computer security• This class is just an introduction to some topics
– Hopefully, it shows the basic ideas and make everyone more aware security related issues
– Malware, Security Model, Security Auditing– Database security, web security, cloud security, mobile security, penetration test, etc.
– The textbook has some coverage on related issues
3
What is Computer Security?• The security of a system/application/protocol is
relative to– A set of desired properties, e.g., CIA
» Different people with different goals may define different requirements, confidentiality, integrity, availability, etc.
» E.g., only admin can delete a file, no outside remote login
– An adversary with specific capabilities» E.g., standard file access permissions in Linux and Windows
are not effective against an adversary who can boot from a CD everything then is readable to them
» A sniffer of all wireless traffic» A global traffic monitor
4
Overview of Computer Security
These concepts covers almost all existing aspects• Components of Computer security: CIA• Threats, vulnerabilities, and Attacks• Policies and mechanisms• The role of trust• Assurance• Operational Issues• Human Issues
5
Basic security issues• Security Requirements: what we want
– It is not easy to define clearly– clients does not know what they want!
• Security Attacks: what go wrong– Millions of types of attacks: scripts exploit vul.
• Security Services: what can help us– Basic weapons we have: email filters
• Security Mechanisms: what implement service– Build a defense system to defeat specific attacks
• A Simple Model for Network Security6
Basic Components: CIA• Confidentiality
– Keeping data and resources hidden– E.g., secret messages, secret agents or locations
• Integrity– Data integrity (integrity)– Origin integrity (authentication)
• Availability– Enabling access to data and resources
2
7
(1) Confidentiality
• Confidentiality is the avoidance of the unauthorized disclosure of information. – confidentiality involves the protection of data, providing access for those who are allowed to see it,
– while disallowing others from learning anything about its content (or activity)
8
Tools for Confidentiality• C1: Encryption:• the transformation of information using a secret, called
an encryption key, • so that the transformed information can only be read
using another secret, called the decryption key (which may be the same as the encryption key).
yptencrypt
dryptdecrypt
ciphertextplaintext
sharedsecret
key
sharedsecret
key
CommunicationchannelSender Recipient
Attacker(eavesdropping)
plaintext
9
Tools for Confidentiality• C2: Access control:• rules and policies that limit access to
confidential information to those people and/or systems with a “need to know”– This “need to know” may be determined by identity, such as a person’s name or a computer’s serial number,
– or by a role that a person has, such as being a manager or a computer security specialist.
– Your files on wiliki I cannot read– Contents released by Wikileaks in 2010
» Bradley E. Manning, one of 3 millions people have accesses» Over-reaction after 9/11
10
Tools for Confidentiality• C3: Authentication: • the determination of identity or role that someone has.
This determination can be done in a number of different ways, but it is usually based on a combination of
– something the person has (like a smart card or a radio key for storing secret keys),
– something the person knows (like a password),
– something the person is (like a human with a fingerprint)
– Something the person does (dynamic biometics)
Something you areSomething you know
Something you have
radio token withsecret keys
password=ucIb()w1Vmother=Jones
pet=Caesarhuman with fingers
and eyes
11
Tools for Confidentiality• C4: Authorization:• the determination if a person or system is allowed
access to resources, based on an access control policy. – Such authorizations should prevent an attacker from tricking the system into letting him have access to protected resources. E.g., MAC address
• C5: Physical security:– the establishment of physical barriers to limit access to protected resources
– The most common method– Such barriers include locks on cabinets and doors, – the placement of computers in windowless rooms, – the use of sound dampening materials, – the construction of buildings or rooms with walls incorporating copper meshes (called Faraday cages) so that electromagnetic signals cannot enter or exit the enclosure.
12
(2) Integrity• Integrity: the property that information has not be altered in an unauthorized way
• Tools:– Backups: the periodic archiving of data. – Checksums: the computation of a function that maps the contents of a file to a numerical value.
» A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file (such as flipping a single bit) is highly likely to result in a different output value.
– Data correcting codes: methods for storing data in such a way that small changes can be easily detected and automatically corrected
– Secure Hash functions/MACs
3
13
(3) Availability• Availability: the property that information is
accessible and modifiable in a timely fashion by those authorized to do so.
• Tools:– Physical protections: infrastructure meant to keep information available even in the event of physical challenges. bomb-proof building
– Computational redundancies: computers and storage devices that serve as fallbacks in the case of failures. Backup servers
– Sometimes, it is the hard to achieve in practice: e.g., network Distributed Denial Of Service Attack
14
Other Security Concepts: A.A.A.
Authenticity
AnonymityAssurance
15
Assurance• Assurance refers to how trust is provided and managed
in computer systems• Trust management depends on:
– Policies, which specify behavioral expectations that people or systems have for themselves and others.
» E.g., the designers of an online music system may specify policies that describe how users can access and copy songs.
– Permissions, which describe the behaviors that are allowed by the agents that interact with a person or system.
» E.g., an online music store may provide permissions for limited access and copying to people who have purchased certain songs.
– Protections, which describe mechanisms put in place to enforce permissions and polices.
» an online music store would build in protections to prevent people from unauthorized access and copying of its songs.
16
Authenticity• Authenticity is the ability to determine that
statements, policies, and permissions issued by persons or systems are genuine.
• Primary tool:– digital signatures. These are cryptographic computations that allow a person or system to commit to the authenticity of their documents in a unique way that achieves nonrepudiation,
– which is the property that authentic statements issued by some person or system cannot be denied.
17
Anonymity (or privacy)• Anonymity: the property that certain records or
transactions not to be attributable to any individual.• Tools:
– Aggregation: the combining of data from many individuals so that disclosed sums or averages cannot be tied to any individual. ballot box
– Mixing: the intertwining of transactions, info, or comm. in a way that cannot be traced to any individual.
– Proxies: trusted agents that are willing to engage in actions for an individual in a way that cannot be traced back to that person.
– Pseudonyms: fictional identities that can fill in for real identities in communications and transactions, but are otherwise known only to a trusted entity.
18
Classes of Threats• Disclosure
– Snooping: wiretapping• Deception
– Modification, spoofing, repudiation of origin, denial of receipt
• Disruption– Physical attacks, DoS, DDoS
• Usurpation– To take over without authority bot– Modification, spoofing, delay
4
19
Threats and Attacks
• Eavesdropping: the interception of information intended for someone else during its transmission over a communication channel.
• Passive attack: your employer watch your web traffic
Alice Bob
Eve 20
Threats and Attacks• Alteration: unauthorized modification of
information. – Example: the man-in-the-middle attack, where a network stream is intercepted, modified, and retransmitted
– Active attack, e.g., hotel wireless service? VPN
encryptencrypt
decrypt
decrypt
ciphertext Cshared secret
key
plaintext M plaintext M′
sharedsecret
key
CommunicationchannelSender Recipient
Attacker(intercepting)
ciphertext C′
21
Threats and Attacks
• Denial-of-service: the interruption or degradation of a data service or information access. – Example: email spam to simply fill up Alice’s queue and slow down an email server
Alice22
Threats and Attacks
• Masquerading: the fabrication of information that is purported to be from someone who is not actually the author– Phishing email, fake phone calls
“From: Alice”(really is from Eve)
23
Threats and Attacks
• Repudiation: the denial of a commitment or data receipt. – This involves an attempt to back out of a contract or a protocol that requires the different parties to provide receipts acknowledging that data has been received.
24
Threats and Attacks• Correlation and traceback: the integration of
multiple data sources and information flows to determine the source of a particular data stream or piece of information– IP address, OS parameter, User parameter, traffic type/time/volume,
Bob
5
25
Security Attacks Summary 1
Release of message contents
Traffic analysis
Steve Jobs contacts with Cingular a lot in 2007iPhone service!
• eavesdropping, monitoring transmissions
Passive threats
26
Security Attacks Summary 2
Masquerade Denial ofService (DOS)
• modification of the data stream
Active threats
Replay Modification of message contents
27
Policies and Mechanisms• Policy says what is allowed and is not allowed
– This defines “security” for a system– Policy: may be expressed in
» natural language, which is usually imprecise but easy to understand; “no remote login”
»mathematics, which is usually precise but hard to understand;
» policy languages, which look like some form of programming language and try to balance precision with ease of understanding, e.g., PolicyMaker
• (IP_addr == xxx) & (clearance == secret)
• Mechanisms enforce policies28
Policies and Mechanisms• Mechanisms enforce policies. They may be
– technical, in which controls in the computer enforce the policy; e.g., the requirement that a user supply a password to authenticate herself before using the computer
– procedural, in which controls outside the system enforce the policy; e.g., firing someone for ringing in a disk containing a game program obtained from an untrusted source
– The composition problem requires checking for inconsistencies among policies.
» E.g., one policy allows students and faculty access to the data, and the other allows only faculty access to the data, then they must be resolved
• Composition of policies– If policies conflict, discrepancies may create security vulnerabilities: which rule to follow?
» One rule: All traffic from IP1 is allowed» Another rule: traffic with an authentication tag is allowed
29
Goals of Security• Prevention is ideal
– Prevent attackers from violating security policy– E.g., Intrusion Prevention Systems (IPSs), really?
• Detection occurs after someone violates the policy– Detect attackers’ violation of security policy– Know what have got by the attacker– E.g., Intrusion Detection Systems (IDSs)
• Recovery means that the system continues to function correctly– Stop attack, assess and repair damage– Continue to function correctly even if attack succeeds
– E.g., Power grid30
Trust and Assumptions• Underlie all aspects of security• Policies must
– Unambiguously partition system states: secure or unsecure– Correctly capture security requirements
» a web site has to be available, but if the security policy does not mention availability, the definition of security is inappropriate for the site.
• Mechanisms– Assumed to enforce policy
» cryptography does not assure availability, so using cryptography in the above situation won’t work
– Support mechanisms must work correctly» rely on supporting infrastructure, such as compilers, libraries,
the hardware, and networks to work correctly
6
31
Types of Mechanisms• A reachable state is one that the computer can
enter
• A secure state is a state defined as allowed by the security policy.
• The left figure shows a secure system– all reachable states are in the set of secure states. The system
can never enter (reach) a non-secure state, but there are secure states that the system cannot reach.
• The middle figure shows a precise system– all reachable states are secure, and all secure states are
reachable. Only the non-secure states are unreachable.
• The right figure shows a broad system. – Some non-secure states are reachable. This system is also not
secure.32
Types of Mechanisms
secure precise insecure
set of reachable states set of secure states
33
Assurance• Assurance is a measure of how well the system
meets its requirements, or how much you can trust the system to do what it is supposed to do
– It does not say what the system is to do
• Specification– From requirements analysis: what the system must do to meet those requirements
– Statement of desired functionality
• Design a system meets the specification• Implementation
– actual coding of the modules and software components
– Programs/systems that carry out design34
Operational Issues• A “secure” system can be breached by improper operation
– E.g., when accounts with no passwords are created
• Cost-Benefit Analysis– Is it cheaper to prevent or recover?
» Airport full-body scanner, $180k plastic explosive?» http://www.schneier.com/blog/archives/2010/11/tsa_backscatter.html» How about use 1% of $10 billions for intelligence?
• Risk Analysis: what happens if the data and resources are compromised? 80-year-old lady or 1-year-old baby
– What should we protect? How much?• Laws and Customs
– Are desired security measures illegal?– Will people do them? use of urine specimens to determine identity
35
Human Issues• Organizational Problems: the key here is that those
responsible for security have the power to enforce security. Often not true: admin vs. security officer– Financial benefits: security indirect income
» Body-scanner companies
• People problems– Outsiders and insiders
» insiders account for 80-90% of all security problems
– Social engineering» Phishing email or phone calls
36
Tying Together: loop
ThreatsPolicy
Specification
Design
Implementation
Operation
7
37
10 Security Principles
(1975)
Economy of
mechanism Fail-safe defaults
Complete mediation
Open design
Separation of
privilegeLeast privilege
Least common
mechanism
Psychological acceptability
Work factor
Compromise recording
38
Economy of mechanism• This principle stresses simplicity in the design
and implementation of security measures. – the notion of simplicity is especially important in the security domain
– since a simple security framework facilitates its understanding by developers and users and enables the efficient development and verification of enforcement methods for it.
39
Fail-safe defaults• This principle states that the default
configuration of a system should have a conservative protection scheme– E.g., when adding a new user to an operating system, the default group of the user should have minimal access rights to files and services.
– Unfortunately, OSs and applications often have default options that favor usability over security
» Historically, web browsers that allow the execution of code downloaded from the web server.
40
Complete mediation• The idea behind this principle is that every
access to a resource must be checked for compliance with a protection scheme– we should be wary of performance improvement techniques that save the results of previous authorization checks,
» since permissions can change over time.
– E.g., an online banking web site should require users to sign on again after a certain amount of time has passed, say, 15 minutes
– UH portal has the same feature
41
Open design• the security architecture and design of a
system should be made publicly available – Security should rely only on keeping cryptographic keys secret
– Open design allows for a system to be scrutinizedby multiple parties, E-Voting system
» which leads to the early discovery and correction of security vulnerabilities caused by design errors
» http://www.snagfilms.com/films/title/hacking_democracy– The open design principle is the opposite of the approach known as security by obscurity
» achieve security by keeping cryptographic algorithms secret
» which has been historically used without success by several organizations
42
Separation of privilege• multiple conditions should be required to achieve
access to restricted resources or have a program perform some action– Launching a nuclear missile– Opening a bank vault
8
43
Least privilege• Each program and user of a computer system
should operate with the bare minimum privileges necessary to function properly.– abuse of privileges is restricted, the damage caused by the compromise of a user is minimized
– The military concept of need-to-knowinformation is an example of this principle
44
Least common mechanism• In a system with multiple users, mechanisms
allowing resources to be shared by more than one user should be minimized. – if a file needs to be accessed by more than one user, then these users should have separate channels by which to access these resources,
» to prevent unforeseen consequences that could cause security problems
» Easy to figure out who is the traiter
45
Psychological acceptability• user interfaces should be well designed and intuitive, and all security-related settings should adhere to what an ordinary user might expect– NSA Pat-down procedure
46
Work factor• the cost of circumventing a security mechanism
should be compared with the resources of an attacker when designing a security scheme. – A system developed to protect student grades in a university database,
» which may be attacked by snoopers or students trying to change their grades,
needs less sophisticated security measures than a system built to protect military secrets, which may be attacked by government intelligence
organizations
47
Compromise recording• it is more desirable to record the details of
an intrusion than to adopt more sophisticated measures to prevent it – Internet-connected surveillance cameras are a typical example of an effective compromise record system that can be deployed to protect a building in lieu of reinforcing doors and windows.
– The servers in an office network may maintain logsfor all accesses to files, all emails sent and received, and all web browsing sessions
48
Topic: Access ControlTraditional topic on a
single computer• Users and groups• Authentication• Passwords• File protection• Access control
matrices/lists
• Which users can read/write which files?
• Are my files really safe?
• What does it mean to be root?
• What do we really want to control?
9
49
Access Control Matrices• A table that defines permissions
– Each row of this table is associated with a subject, » which is a user, group, or system that can perform actions.
– Each column is associated with an object, » which is a file, directory, document, device, resource, or
any other entity for which we want to define access rights.
– Each cell is then filled with the access rights for the associated combination of subject and object.
» Access rights can include actions such as reading, writing, copying, executing, deleting, and annotating.
» An empty cell means that no access rights are granted.
50
2. Access Control Lists• for each object o, a list L is defined
– enumerates all the subjects that have access rights for o
– for each such subject s gives the access rights that s has for object o.
/etc/passwd /usr/bin/ /u/roberto/ /admin/
root: r,w,xbackup: r,x
root: r,w,xroberto: r,w,xbackup: r,x
root: r,w,xmike: r,x
roberto: r,xbackup: r,x
root: r,wmike: r
roberto: rbackup: r
51
3. Capabilities
• a subject-centeredapproach to access control
• for each subject s, it defines the list of the objects for which s has nonempty access control rights– together with the specific rights for each such object
/etc/passwd: r,w,x; /usr/bin: r,w,x; /u/roberto: r,w,x; /admin/: r,w,xroot
/usr/passwd: r; /usr/bin: r;/u/roberto: r,w,xroberto
/usr/passwd: r; /usr/bin: r,xmike
backup/etc/passwd: r,x; /usr/bin: r,x;
/u/roberto: r,x; /admin/: r,x
52
4. Role-based Access Control• Define roles and then specify access control
rights for these roles– rather than for subjects directly
Department Member
Administrative Personnel
Accountant Secretary
Administrative Manager
Faculty
Lab Technician
Lab Manager
Student
Undergraduate Student
Graduate Student
Department Chair
Technical Personnel
Backup Agent
System Administrator
Undergraduate TA
Graduate TA
53
Social Engineering• Pretexting: creating a convincing story that convinces
an administrator into revealing secret information– Knowing a lot of details: dumpster diving!– “Old friend” calls you on a quick loan
• Baiting: offering a kind of “gift” to get a user or agent to perform an insecure action– Free game, $5 rebate, …Drop a USB key at Pentagon parking lot
• Quid pro quo: offering a service and then expecting something in return– Something-for-something
• Psychological Your grandson is in jail! Send bail money asap!
54
Ch.2 Physical Security• Physical Protection and Attacks
– Digital data must physically located somewhere
• Physical security: Any physical object that creates a barrier to unauthorized access– This includes: locks, latches, safes, alarms, guards, guard dogs, doors, windows, walls, ceilings, floors, fences, door strikes, door frames and door closers
1. Location protection2. Physical intrusion detection3. Hardware attacks4. Eavesdropping5. Physical interface attacks
10
55
Pin Tumbler Lock Terminology
shell
tumblerspring
sheer line
cylinder or plugkeyway
diver pin
Key pin
56
basic algorithm for picking locks– The top pin of that pin stack will be trapped above the shear line, the bottom pin will fall freely, and now a new pin stack (the next most misaligned one) prevents further rotation
• basic algorithm for picking locks– Apply a small amount of torque to the plug– Repeat until lock turns:
» Locate the pin stack that's being pinched at the shear line (it resists slightly when pushed up)
» Continue to push that pin stack up until its cut reaches the shear line and the plug turns slightly
57
Side Channel Attacks
• Rather than attempting to directly bypass security measures, an attacker instead goes around them by exploiting other vulnerabilities not protected by the security mechanisms.
• Side channel attacks are sometimes surprisingly simple to perform.
High security lock
Cheap hinges
58
Authentication Technologies• The determination of identity, usually based on a
combination of – something the person has (like a smart card or a radio key fob storing secret keys),
– something the person knows (like a password), – something the person is (like a human with a fingerprint, or a voice)
Something you are
Something you know
Something you have
radio token withsecret keys
password=ucIb()w1Vmother=Jones
pet=Caesarhuman with fingersand eyes
59
What is Computer Forensics?• A Scientific process of
– preserving, identifying, extracting, documenting, and interpreting
– data on a computer/network device, etc.
• Used to obtain potential legal evidence– Deleted/encrypted files– Browser history– System logs boot time, login timedata access records, GPS records, …
– Trace back IP addresses
60
Computer Forensics Procedures
The Forensic Paradigm
•Identify specific
objects that store
important data for the case
analysis
•Establish a chain of
custody and document all
steps to prove that the
collected data remains intact and unaltered
•Determine the type of
information stored on
digital evidence and conduct a
thorough analysis of the
media
•Prepare and deliver an official report
Collection ReportingAnalysis and EvaluationIdentification
11
61
A Computer Model• a computer consists of a CPU, random access
memory (RAM), input/output (I/O) devices, and long-term storage
Disk DriveRAM
CPU
0123456789...
I/O
62
OS Concepts
• OS provides the interface between the usersof a computer and that computer’s hardware– OS manages how applications access the resources in a computer
» including its disk drives, CPU, main memory, input devices, output devices, and network interfaces
» Regular user cannot directly access otherwise, sniffing/changing every bit
– OS manages multiple users– OS manages multiple programs
63
Multiple processes sharing the CPU and memory
• A program must be brought into memory and placed within a process for it to be run.
• An Input queue: collection of processes on the disk that are waiting to be brought into memory to run the program
• Ready Queue: Multiple processes sharing the CPU and memory
New Task
64
Multitasking• Give each running program a
“slice” of the CPU’s time, 1ms– Process scheduling
• CPU is switching processes very fast
• to any user, it appears that the computer is running all the programs simultaneously
65
A Layer Model: The Kernel• The kernel is the core component of OS
– manage low-level hardware resources» including memory, processors, and input/output (I/O) devices, such as a
keyboard, mouse, or video display.
• OSs define the tasks associated with the kernel in layers
User Applications
Non-essential OS Applications
The OS Kernel
CPU, Memory, Input/Output
Userland
Operating System
Hardware
66
Input/Output (I/O) Devices• I/O devices of a computer include keyboard, mouse,
video display, and network card– and other optional devices, like a scanner, Wi-Fi interface,
video camera, USB ports, etc.
• Each device is represented in OS using a device driver, which encapsulates the details of how interaction with that device should be done
• The application programmer interface (API) of the device drivers allows application programs to interact with those devices at a high level, – while the OS does the “heavy lifting” of performing the low-level interactions that make such devices actually work.
12
67
What is a System Call?• User applications don’t communicate directly
with low-level hardware components, and instead delegate such tasks to the kernel via system calls– System calls are usually contained in a collection of programs, e.g., C library (libc) “printf()”
• they provide an interface that allows applications to use APIs for communicating with the kernel– Examples of system calls include those for performing file I/O (open, close, read, write) and running application programs (exec).
68
What is a Process?• is an instance of a program that currently executing• The actual contents of all programs are initially stored
in persistent storage, such as a hard drive.• In order to be executed, a program must be loaded
into random-access memory (RAM) and uniquely identified as a process.
• In this way, multiple copies of the same program can be run as different processes.
– E.g., multiple copies of Editor open at the same time
69
Memory Management• address space is the RAM of a computer
– It contains both the code for the running program, its input data, and its working memory
• segments – For any running process, it is organized into different segments
» keep the different parts of the address space separate
– security concerns require that we never mix up these different segments
70
6 segments for x86• Stack Segment (SS). Pointer to the stack.• Code Segment (CS). Pointer to the code.• Data Segment (DS). Pointer to the data.
• Extra Segment (ES). Pointer to extra data ('E' stands for 'Extra').
• F Segment (FS). Pointer to more extra data ('F' comes after 'E').
• G Segment (GS). Pointer to still more extra data ('G' comes after 'F').
71
What is Virtual Memory?• There is not enough physical memory for the address
spaces of all running processes– 32-bit 4 GB, 64-bit 8 TB per process
• OS gives each running process the illusion that it has access to its complete (contiguous) address space– The previous view is virtual, but it is not really how the memory is organized
– memory is divided into pages, and the OS keeps track of which ones are in memory and which ones are stored out to disk
72
Virtual Machines• Virtual machine: A view that an OS presents that a
process is running on a specific architecture and OS– E.g., a windows emulator on a Mac.
• Benefits:– Hardware Efficiency– Portability– Security– Management
Public domain image from http://commons.wikimedia.org/wiki/File:VMM-Type2.JPG
13
73
What is an Exploit?• An exploit is any input that takes advantage of a bug
or vulnerability in order to cause an attack• i.e., a piece of software, an argument string, or sequence of commands
• not necessarily a program that communicates bad input to a vulnerable piece of software
• can also be just the bad input itself• any bad input (or even valid input that the developer just
failed to anticipate) can cause the vulnerable application to behave improperly...
• An attack is an unintended behavior that occurs on computer software, hardware, or sth. electronic and that brings an advantage to the attacker
74
Buffer Overflow Attack• One of the most common OS bugs is a buffer overflow
– The developer fails to include code that checks whether an input string fits into its buffer array
– An input to a process exceeds the length of a buffer– overwrites a portion of the memory of the process
– Causes the application to behave improperly and unexpectedly
• Effect of a buffer overflow
– The process can operate on malicious data or execute malicious code passed in by the attacker
– If the process is executed as root, the malicious code will be executing with root privileges, e.g., SET_UID programs
75
Unix Address Space• Text: machine code of the program,
compiled from the source code• Data: static program variables
initialized in the source code prior to execution
• BSS (block started by symbol): static variables that are uninitialized
• Heap : data dynamically generated during the execution of a process
• Stack: structure that grows downwards and keeps track of the activated method calls, their arguments and local variables Low Addresses
0x0000 0000
High Addresses0xFFFF FFFF
Stack
Heap
BSS
Data
Text
76
strcpy() Vulnerability
• argv[1] is the user input• strcpy(dest, src) does not check
buffer• strcat(d, s) concatenates strings
domain.cmain(int argc, char *argv[]) /*get user_input*/{
char var1[15];char command[20];strcpy(command, “whois ");strcat(command, argv[1]);strcpy(var1, argv[1]);printf(var1);system(command);
}
var1 (15 char)
command(20 char)
argv[1]
(15 char)argv[1]
(20 char)
Top ofMemory
0xFFFFFFFF
Bottom ofMemory
0x00000000
...
StackFill
Direction
Overflow
exploit
77
Return Address Smashing
• The Unix fingerd() system call, which runs as root (it needs to access sensitive files), used to be vulnerable to buffer overflow
• Write malicious code into buffer and overwrite return address to point to the malicious code
• When return address is reached, it will now execute the malicious code with the full rights and privileges of root
void fingerd (…) {char buf[80];…get(buf);…
} curr
ent
fram
epr
evio
us
fram
es
f() arguments
buffer
local variables
program code program code
next locationnext locationpaddingat
tack
er’s
inpu
tat
tack
er’s
inpu
t
malicious codereturn addressreturn addressf() arguments
EIP
return addressreturn address EIP
78
Stack-based buffer overflow detection using a random canary
• The canary is placed in the stack prior to the return address, so that any attempt to over-write the return address also over-writes the canary.
BufferOther local
variablesCanary (random)
Return address Other data
BufferCorrupt return
addressAttack code
Normal (safe) stack configuration:
Buffer overflow attack attempt:
Overflow data x
14
79
Calling Convention• It is a protocol about how to call & return from routines
• programmers use a common calling convention to – to share code and libraries
– to use subroutines
• given a set of calling convention rules, – a programmer knows how to pass parameters to subroutine
– high-level language compilers can be made to follow the rules, thus allowing hand-coded assembly language routines and high-level language routines to call one another
80
C language calling convention• This allows you to write assembly language
subroutines that are safely callable from C code– will also enable you to call C library functions from your assembly language code
• It is based on the hardware-supported stack– use push/pop/call/ret instructions – (1) Subroutine parameters are passed on the stack – (2) Registers are saved on the stack– (3) local variables used by subroutines are placed in memory on the stack
– Most high-level procedural languages used similar calling conventions
81
Two sets of rules• The calling convention has two sets of rules
– The first set of rules is employed by the caller of the subroutine
– the second set of rules is observed by the writer of the subroutine (the callee)
82
Stack during Subroutine Call: 3 vars and 3 para
the base pointer
the stack pointer
83
Rule Set 1: Caller Rules (1/2)1.Before calling a subroutine, the caller should save the
contents of certain registers that are designated caller-saved– The caller-saved registers are EAX, ECX, EDX, since the called
subroutine is allowed to modify these registers
– if the caller uses their values after the subroutine returns, the caller must push the values in these registers onto the stack (so they can be restore after the subroutine returns.)
2.To pass parameters to the subroutine, push them onto the stack before the call
– The parameters should be pushed in inverted order
– Since the stack grows down, the first parameter will be stored at the lowest address
3.To call the subroutine, use the call instruction
– This instruction places the return address on top of the parameters on the stack, and branches to the subroutine code. This invokes the subroutine, which should follow callee rules 84
Rule Set 1: Caller Rules (2/2)• After the subroutine returns (immediately following
the call instruction), the caller finds the return value of the subroutine in the register EAX
• To restore the machine state, the caller should1. Remove the parameters from stack.
– This restores the stack to its state before the call was performed.
2. Restore the contents of caller-saved registers (EAX, ECX, EDX) by popping them off of the stack.
– The caller can assume that no other registers were modified by the subroutine.
15
85
Caller Rules Example• The caller is calling a function _myFunc that takes
three integer parameters. – First parameter is in EAX, the second parameter is the constant
216; the third parameter is in memory location var.
push [var] ; Push last parameter first push 216 ; Push the second parameter push eax ; Push first parameter last call _myFunc ; Call the function (assume C naming)
add esp, 12 ; the caller cleans up the stack afterwards
We have 12 bytes (3 parameters * 4 bytes each) on the stack, and the stack grows down. Thus, to get rid of the parameters, we can simply add 12 to the stack pointer.
86
After the call• The result produced by _myFunc is now available for
use in the register EAX
• The values of the caller-saved registers (ECX and EDX), may have been changed
– If the caller uses them after the call, it would have needed to save them on the stack before the call and restore them after it.
87
Rule Set 2: Callee Rules• For who writes the subroutine
• The first half of the rules apply to the beginning of the function, and are commonly said to define the prologue to the function.
• The latter half of the rules apply to the end of the function, and are thus commonly said to define the epilogue of the function.
88
Callee Rules: prologue1.Push the value of EBP onto the stack, and then copy the
value of ESP into EBP
push ebp ; maintains the base pointer, EBP; save old
mov ebp, esp; copy the stack pointer to the base pointer; create new
• EBP is used as a point of reference for finding parameters and local variables on the stack.
– When a subroutine is executing, the base pointer holds a copy of the stack pointer value from the caller
– Parameters and local variables will always be located at known, constant offsets away from the base pointer value.
• We push the old base pointer value at the beginning of the subroutine so that we can later restore the appropriate base pointer value for the caller when the subroutine returns.
– the caller is not expecting the subroutine to change the value of the base pointer
– We then move the stack pointer into EBP to obtain our point of reference for accessing parameters and local variables.
89
Callee Rules: prologue2. allocate local variables by making space on the stack.
– to make space on the top of the stack, the stack pointer should be decremented
– The amount depends on the number and size of local variables» if 3 local integers (4 bytes each) were required, the stack pointer would need
to be decremented by 12 to make space for these local variables (i.e., sub esp, 12).
– local variables will be located at known offsets from the NEW base pointer
3. save the values of the callee-saved registers that will be used by the function– push them onto the stack
– The callee-saved registers are EBX, EDI, and ESI
90
epilogue : When the subroutine is returns, it must follow these steps
1.Leave the return value in EAX
2.Restore the old values of any callee-saved registers (EDI and ESI) that were modified
– are restored by popping them from the stack
3.Deallocate local variables by moving the value in the base pointer into the stack pointer: mov esp, ebp
4. Immediately before returning, restore the caller's OLD base pointer value by popping EBP off the stack
5.return to the caller by executing a ret instruction
16
91
Circuit and Packet Switching• Circuit switching
– Legacy phone network, analog circuit
– Single route through sequence of hardware devices established when two nodes start communication
– Data sent along the same physical route
– A Route maintained until communication ends
• Packet switching– Internet / data network– Data split into packets– Packets transported independently through the network
– Each packet handled on a best efforts basis
– Packets may follow different physical routes
• Each has pros and cons
92
What is a network protocol?• A protocol defines the rules for communication between
computers– classified as connectionless and connection oriented
• Connectionless protocol – Sends data out as soon as there is enough data to be
transmitted– E.g., user datagram protocol (UDP)
• Connection-oriented protocol– Provides a reliable connection stream between two nodes– Consists of set up, transmission, and tear down phases– Creates virtual circuit-switched network– E.g., transmission control protocol (TCP)
93
Network Layers• Network models use a stack of layers
– Higher layers use the services of lower layers via encapsulation
– A layer can be implemented in hardware or software– The bottommost layer must be in hardware
• A network device may implement several layers– A IP router has Physical/link/IP three layers (layer 3
device)– A Ethernet switch has Physical/link, two layers (layer-2 device)
• A communication channel between two nodes is established for each layer
– An physical channel at the bottom layer– A Virtual channel at higher layers
94
Internet Layers
Application
Transport
Network
Link
Application
Transport
Network
Link
Network
Link
Network
Link
EthernetFiber Optics
Wi-Fi
Physical Layer
95
Encapsulation• A packet typically consists of
– Control information for addressing a packet: header/ footer– Data: payload
• A network protocol N1 (e.g., IP) can use the services of another network protocol N2 (e.g., Ethernet)
– A packet p1 of N1 is encapsulated into a packet p2 of N2– The payload of p2 is p1– The control information of p2 is derived from that of p1
Ethernet
Header
Payload of p2
FooterIP Header
Payload Footer
96
Internet Packet Encapsulation
Application data, e.g.,
TCP DataTCP
Header
IPHeader
FrameHeader
FrameFooter Link Layer
Network Layer
Transport Layer
IP Data
Frame Data
Application Layer
17
97
Network Interfaces• Network interface is a device connecting a
computer to a network– Ethernet card, WiFi adapter, bluetooth adapter, etc.– A computer may have multiple network interfaces– Packets transmitted between network interfaces
• Most local area networks, (including Ethernet and WiFi) broadcast frames– In regular mode, each network interface gets the frames intended for it (addressed to it)
– Traffic sniffing can be accomplished by configuring the network interface to read all frames (in the promiscuous mode)
98
MAC Addresses• is a 48-bit number usually represented in hex
– E.g., 00-1A-92-D4-BF-86– Most network interfaces come with a predefined MAC address
• The first three octets of any MAC address are IEEE-assigned Organizationally Unique Identifiers
– E.g., Cisco 00-1A-A1, Apple 00-0a-95– The next three can be assigned by organizations as they please, with uniqueness being the only constraint
• Organizations can utilize MAC addresses to identifycomputers on their network
– e.g., EE wireless network• MAC address can be reconfigured by network
interface driver software
99
What does a Switch do?• A switch is a common network device
– Operates at the link layer
– Has multiple ports, each connected to a computer
• Operation of a switch– Learn the MAC address of each computer connected to it
– Forward frames only to the destination computer» Not broadcast to other ports sniffing does NOT work
100
address resolution protocol (ARP)• The ARP connects the network layer to the data layer
by converting IP addresses to MAC addresses• ARP works by broadcasting requests and caching
responses for future use– Caching with a timer, e.g., 60 seconds in Linux
• The protocol begins with a computer broadcasting a message of the form
“who has <IP address1> tell <IP address2>”– The requestor’s IP address <IP address2> is contained in
the link header
• When the machine with <IP address1> or an ARP server receives this message, its broadcasts the response
“<IP address1> is <MAC address>”
101
ARP Spoofing• The ARP table is updated whenever an ARP
response is received
• Requests are not tracked– What asked? When?
• ARP announcements are not authenticated– Machines must trust each other
• A rogue machine can spoof other machines
102
ARP Poisoning (ARP Spoofing)• According to the standard, almost all ARP
implementations are stateless• An arp cache updates every time that it receives
an ARP reply– even if it did not send any ARP request!
• It is possible to “poison” an ARP cache by sending ARP replies
• Solution: Using static entries solves the problem – but it is almost impossible to manage!
18
103
Wireshark• Wireshark is a packet sniffer and protocol
analyzer• Captures and analyzes frames• Supports plugins• Usually required to run with administrator privileges• Run in ‘seed’ or ‘root’ account
• Setting the network interface in promiscuous mode • VMsettingnetworkadaptor2advancedPromiscuous
Mode: please set it to “All” or “All VMs”
• captures traffic across the entire LAN segment and not just frames addressed to the machine
• Freely available on www.wireshark.org104
Internet Protocol• Connectionless
– Each packet is transported independently from other packets
• Unreliable– Delivery on a best effort
basis– No acknowledgments
– Packets may be lost, reordered, corrupted, or duplicated
• IP packets– Encapsulate TCP and UDP
packets– Encapsulated into link-layer
frames
Data link frame
IP packet
TCP or UDP packet
105
IP Addresses and Packets• IP addresses
– IPv4: 32-bit addresses
– IPv6: 128-bit addresses
• Address subdivided into network, subnet, and host
– E.g., 128.148.32.110
• Broadcast addresses– E.g., 128.148.32.255
• Private networks – not routed outside of a LAN
– 10.0.0.0 - 10.255.255.255
– 172.16.0.0 - 172.31.255.255
– 192.168.0.0 - 192.168.255.255
• IP header includes– Source address– Destination address– Packet length (up to 64KB)– Time to live (up to 255)– IP protocol version– Fragmentation information– Transport layer protocol
information (e.g., TCP)
fragmentation info
source
destination
TTL prot.
lengthv
106
IP Routing• A router bridges two or more networks
– Operates at the network layer– Maintains tables to forward packets to the appropriate network
– Forwarding decisions based solely on the destination address
• Routing table– Maps ranges of addresses to LANs or other gateway routers
– netstat –r, --route
107
IP Routing on the Internet
108
Internet Routes• Internet Control Message Protocol (ICMP)
– Used for network testing and debugging– Simple messages encapsulated in single IP packets– Considered a network layer protocol
• Tools based on ICMP– Ping: sends series of echo request messages and provides statistics on roundtrip times and packet loss
– Traceroute: sends series ICMP packets with increasing TTL value to discover routes
19
109
ICMP Attacks• Ping of death
– ICMP specifies messages must fit a single IP packet (64KB)
– Send a ping packet that exceeds maximum size using IP fragmentation
– Reassembled packet caused several operating systems to crash due to a buffer overflow
• Smurf– Ping a broadcast address using a spoofed source address
110
Smurf Attack
Attacker Victim
AmplifyingNetwork
echorequest
echoresponse
echoresponse
echoresponse
111
Denial of Service (DoS) Attack • Send large number of packets
to host providing service– Slows down or crashes host– Often executed by botnet
• Attack propagation– Starts at zombies– Travels through tree of
internet routers rooted– Ends at victim
• IP source spoofing– Hides attacker– Scatters return traffic from
victim
Source: M.T. Goodrich, Probabalistic Packet
Marking for Large-Scale IP Traceback, IEEE/ACM Transactions on
Networking 16:1, 2008.
