cs645: lecture 1 (computer and) network securitygreenie/cs645/cs645-12-01.pdf · 2012. 4. 4. ·...

CS645: Lecture 1(Computer and) Network

SecurityRachel Greenstadt

April 4, 2012

Wednesday, April 4, 2012

Introductions

• Hopefully, we’ve all done online introductions

• Your name• Program• Interest in security• Something else interesting about you


High Level Information

• Instructor: Rachel Greenstadt• Office: UC 140• Office Hours (Wednesday 2:30-3:30 pm)• Feel free to email or stop by or use wimba• Course website • http://www.cs.drexel.edu/~greenie/cs645/


http://www.cs.drexel.edu/cs475/http://www.cs.drexel.edu/cs475/

Overview

• Current events in “Computer and Network Security” (far from complete)

• About CS 645• Research Project• Security Reviews and Risk Analysis• Introduction to Project 1


What is security?

• What is “Computer and Network Security”• Write down your answers on text chat or

paper and discuss with a neighbor


Computer security is an oxymoron

• We like to talk about crypto --- it’s the only thing we’ve got that really works (caveats)

• Software is not secure• Networks are not secure• Trust infrastructures are not secure• And users...well....I think I might have a

bank in Nigeria to sell to you


The Internets are Broken: SSL

How ssl web securityis supposed to work


Creating a Rogue CA


How to Create a Rogue CA

• 2008 : Break hashing algorithm used to sign the CA cert (MD5 in this case) or break DNS

• 2009 : Buy cert for *\0.domainI0wn.com, results in cert for * due to pascal vs C string confusion

• 2011 : Break into a CA or someone who has signing capacity (DigiNotar/Comodo)

• 2012 : ?


But then again, why bother?


Crypto is hard: Debian

• The following lines were removed from md_rand.c

• valgrind and purify (useful debugging tools) complained about uninitialized memory

• As a result, randomness in debian generated keys (SSL and SSH) was reduced to 15 bits (32,768 unique keys) and cryptographic ops were suspect

MD_Update(&m,buf,j);[ .. ]MD_Update(&m,buf,j); /* purify complains */


More Recently: RSA

• Lenstra et al• Of 6.6 million distinct X.509 certificates and PGP keys (cf. [1])

containing RSA moduli, 0.27 million (4%) share their RSA modulus, often involving unrelated parties. Of 6.4 million distinct RSA moduli, 71052 (1.1%) occur more than once, some of them thousands of times.

• Heninger et al• Remote compromise of 0.4% of keys. Due to poor random number

generation. Affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers


Release engineering is hard: Redhat Openssh

• August 2008 - someone backdoored the Redhat’s openssh binaries, managed to get them signed by Redhat and distributed


CVE vulnerabilities


Software vulnerabilities:PDF edition


What about games?


Web 2.0 is a sewerInternet users can be infected simply by viewing a compromised website.


Web Vulnerabilities

Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9–12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.

• During 2010, the average website had 230 serious* vulnerabilities.

• In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent.

• * Serious - data loss or breach


SQL Injection

This sort of attack on the rise...mostlyattacking web sites


Data Protection doesn’t exist

• Data aggregators compile in-depth dossiers on everyone

• Choicepoint sold 163,000 record to identity thieves in 2005

• Often this data is lost, stolen, or misused• Privacy Rights Clearinghouse documents the loss

of 246,134,559 sensitive records since 2005


Privacy in Apps?

• iOS plaintext file keeping track of fine-grained location info

• Malicious apps accessing address books, making premium phone calls, sending text messages to pay services

• How many of you pay attention to permissions on apps you download?


Will cloud computing save us?

• Short answer: no• Longer answer: it’s unclear if it makes the

situation better, but it does change the attack surface - virtualization

• VM slice hopping exploits in the wild• Also, depends what you mean by “cloud”:

see countless twitter exploits


But cellphones are safe?

• AS/1 and AS/3 encryption standards for GSM broken (Karsten Nohl and Chris Paget)

• Rogue basepoints built for $1500• Attacking smart phones by sending fuzzed

SMS (Charlie Miller and Collin Mulliner)

• JailbreakMe (uses heap (free) exploit)


Gov’t isn’t immune: The Pentagon

vs

Infected machines can propagate infections byportable media like USB drives

IBM handed out USB drives with not one but two pieces of malware at a security conference.


Cyberphysical systems

• Smart grid• Emergency services• Water treatment plants• Lots of potential, but also risk


The Mob 0wns the Internet : Botnets

• What about all these compromised machines?• Network them together and use them for• Phishing/SPAM/ “bulletproof hosting”• distributed denial of service• Personal information harvesting• Practical anonymity for targeted attacks• Control with IRC, or p2p protocols (STORM)


Govt Oppression 2.0

• Countrywide censorship via deep packet inspection, MiTM - Iran, China, Burma, etc

• But also US, Germany, Aus, UK, etc• US companies leading the way

• Info warfare - Russia/Estonia 2007


Why are things so bad?


Why are things so bad?• Economists will tell you that the optimal number

of plane crashes is > 0

• Indirect losses and externalities

• “Ship it today, get it right by version 3”• Features too far ahead of security

• Failure of software eng field to be competent• Monoculture • Lack of security metrics


Or maybe it’s just the Internet [Lampson]

• Attack from anywhere• Sharing with anyone• Automated infection• Hostile code• Hostile physical environment• Hostile hosts


The Malware Economy• Revenue sources: SPAM, phishing, stolen data (credentials, game items)• Revenue conversion: money mules• Enabled by: Botnets of infected machines• Enabled by: Infection vectors: Drive-by-downloads, email attachments,

removable media

• Enabled by: Automated exploit packs (mpack, etc)• Enabled by: Malware writers• Enabled by: Exploit writers• Enabled by: Software vulnerabilities/bad release engineering


What type of access to a computer overrides all security measures?


About CS 645

• This class is in Beta• Bug reports welcome (not exploits :) )

• This class is not comprehensive • This class is meant to be difficult, but not

impossible


Inspirations and Acknowledgements

• This class is based in part on • Jeremy Johnson’s CS 475• Dan Boneh’s CS 155• Yoshi Kohno’s CSE 484• Ron Rivest’s 6.857• Radia Perlman’s CS 243


What will we cover?

• Applied security topics, network and software attacks/defenses

• The “security mindset”• Very light on cryptography• Economics/usability/privacy/AI• Security research - via project


Prerequisites

• Learning on the fly - OK if you know what you’re getting into

• C, x86 and stack basics, network socket programming, some Java, operating system principles and machine organization, Unix clue and related software engineering tools, Math (algorithms, probability, exponentiation/modular arithmetic, proofs), critical and devious thinking skills


Grading

• Midterm: 15%• Research: 35%• Problem sets/Projects: 4x10%• Participation 10%


Late Submission Policy

• Turn in work on time• Late assignments will be dropped 20%

per day

• Midterm will be held online in bbvista


Projects

• Project 1 (individual) : learning to write software exploits• Project 2 (group) : harder software exploits• Project 3 (group) : cryptography and hashing• Project 4 (group) : network security (SSL man-in-the-middle)


Class Project

• Research project on some topic related to computer and network security

• Groups of 2-3 people• Proposal and topic due April 25• Paper (12 pages, workshop quality) and

presentation due end of class


ResearchOnline Discussions

• Begin with brainstorming about the problem• One initial post (due Sunday 5 pm)• An idea for a research topic - no need to be very detailed• At least two papers that are useful related work• Two replies to other posts (due Tuesday, 5 pm)• The earlier you post, the easier it will be to find something novel to add


The Project Proposal

• 2 pages long• Problem Statement and Motivation• Brief Description of Approach• Related Work and novelty• Evaluation approach• Milestones• Short 5-10 min presentation to class


Group work

• Much of the class will be done in groups of 2-3 students (projects 2-3, security arms race research)

• Groups will work together on projects and on the research project (can should combine online/in-person)

• I will assign groups next week. Please send me requests about topics you would like to work on and/or people you would like to work with.

• In general, all group members will get the same grade but there will be peer evaluations at the end


Intermission:Security Reviews Next


Security: Whole System is Relevant

• Security requires a whole-system view• Cryptography• Implementation• People• Physical Security• Everything in between• “Security is only as strong as the weakest link”• Many places to fail


Security Properties

• Confidentiality• Integrity• Authenticity• Availability


Analyzing the Security of a System: Part 1

• First thing : Summarize the system clearly and concisely

• Absolutely critical• Can’t summarize, how can you analyze? Ask:• What are the systems’ goals?• How does the system achieve them?

• Who are the players/stakeholders?• What are their incentives?


Analyzing the Security of a System: Part 2

• Subsequent steps• Identify assets: What do you wish to protect• Identify adversaries and threats• Identify vulnerabilities• Calculate the risks• Evaluate controls/mitigation strategies• Iterate


Assets• Need to know what you are protecting! • Hardware: Laptops, servers, routers, PDAs, phones, ... • Software: Applications, operating systems, database systems, source

code, object code, ...

• Data and information: Data for running and planning your business, design documents, data about your customers, data about your identit

• Reputation, brand name • Responsiveness • Assets should have an associated value (e.g., cost to replace hardware, cost

to reputation, how important to business operation)


Adversaries• National governments • Terrorists • Thieves • Business competitors • Your supplier • Your customer • New York Times • Your family members (parents, children) • Your friends • Your ex-friends • ...


Threats

• Threats are actions by adversaries who try to exploit vulnerabilities to damage assets

• Spoofing identities: Attacker pretends to be someone else • Tampering with data: Change outcome of election • Denial of service: Attacker makes voting machines unavailable on

election day

• Elevation of privilege: Regular voter becomes admin• Specific threats depend on environmental conditions, enforcement

mechanisms, etc

• You must have a clear understanding of how the system works


Classifying Threats• By damage done to the assets

• Confidentiality, Integrity, Availability

• By source of attacks• (Type of) insider • (Type of) outsider • Local attacker • Remote attacker • Attacker resources

• By the actions• Interception • Interruption• Modification • Fabrication


Risk Analysis• Quantitative Risk Analysis• Expected Loss = ValueOf(Asset) * Prob(Vulnerability) * Prob(Threat)• Hard to assign ValueOf (monetary?) and Probabilities

• Qualitative Risk Analysis• Assets: Critical, very important, important, not important• Vulnerabilities: Has to be fixed soon, should be fixed, fix if convenient• Threats: Very likely, likely, unlikely, very unlikely• Which of the attacks we discussed Tuesday were a result of getting this

wrong?


Let’s try it out

• Analyzing the drexelone portal• Recall steps : • First thing: Summarize the system as clearly and concisely as possible • Identify the assets: What do you wish to protect? • Identify the adversaries and threats • Identify vulnerabilities: Weaknesses in the system • Calculate the risks (we’ll do informally)


Project 1: Software exploits

• Individual project - done in virtual machine environment

• This assignment is hard. Don’t leave it until the last minute. Ask for help if you get stuck.

• Make sure you have the environment set up soon!


Software exploits/Project 1

• Before you can understand stack exploits, you have to know something about computer architecture

• For project 1, you have to know x86 (IA-32)

• So we’ll do some review


Procedures

• Operating system runs programs as concurrently executed procedures• The OS calls a program as a procedure to execute the program and the

program returns control to the OS when it completes.

• The call to execute the procedure is a branch instruction to the beginning of the procedure. When the procedure finishes, a second branch instruction returns to the instruction immediately following the procedure call.

• The return address must be saved before the procedure is called. The steps in the transfer of control to execute a procedure are 1. Save the return address 2. Call procedure (using a branch instruction). 3. Execute the procedure. 4. Return from the procedure (branch to the return address).


Nested procedure

• When the jal B instruction is executed, the return address in register $ra for procedure A will be overwritten with the return address for procedure B. Procedure B will return correctly to A, but when procedure A executes the jr instruction, it will return again to the return address for B, which is the next instruction after jal B in procedure A. This puts procedure A in an infinite loop.

• To implement the linkage for nested procedures, the return address for each procedure must be saved somewhere other than register $ra. Note that the procedure call/return sequence is a LIFO process: the last procedure called is the first to return. A stack is the natural data structure for saving the return addresses for nested procedure calls.

jal: jump and linkjr: jump register

$ra return address


System Stack• The system stack provides a convenient mechanism for dynamically

allocating storage for the various data associated with the execution of a procedure including:

• parameters• saved registers• local variables• return address • The system stack is located at the top of the user memory space and grows

downward toward smaller memory addresses. Register $esp is the stack pointer to the system stack. It contains the address of the first empty location at the top of the stack.


Linux process memory layout

unused0x08048000

run time heap

shared libraries

user stack

0x40000000

0xC0000000

%esp

brk

Loaded from exec

0Wednesday, April 4, 2012

System stack

The frame pointer is stored in register $ebp, also called $fp. A stack frame consists of the memory on the stack

between the frame pointer and the stack pointer.


IA-32 Registers• $esp : Stack Pointer (SP) : points to the top of the stack (lowest mem

addr)

• Points to last used word in stack or next available word location on stack (implementation dependent)

• $ebp : Frame Pointer (FP) : points to fixed location within an activation record (stack frame)

• If $ebp for some stack frame is stored at addr X then $eip for that frame is stored at addr X + 4

• Used to reference local vars and parameters since the distance from those to the frame pointer will not change whereas the distance from those to the stack pointer will (as other functions are called and the stack pointer is decremʼd …)

• $eip : instruction pointer (aka $ra)• “The instruction pointer (EIP) register contains the offset in the current code segment

for the next instruction to be executed.”


Calling procedures (IA-32)

• When CALL procedure p()• Push eip : the return address ($ra)• Push ebp : saves previous frame pointer• Copy sp into fp : ebp = esp

• The new stack frame’s frame pointer will be the previous value of the stack pointer• Advance sp (esp) for allocations on stack (that is, decrement it)

• When LEAVE procedure p(),• This process is reversed• Load ebp into esp• Restore ebp from the stack


• During CALL, value of eip register pushed onto stack• Before RET, programmer should make sure that stack pointer

(esp) is pointing to the eip on the stack; does this via:

• Move contents of $ebp into $esp• Increment $esp by 4• $esp should now point to (contain addy of) $eip• RET will load the value stored in $esp into the $eip

Interaction between EIP, EBP, ESP


Ethics

• Certain level of maturity required for this class• Use this knowledge for good not evil• Attacks on computer systems are illegal and often

against drexel policy


Readings

• ACM code of ethics• Towards Community Standards for Ethical

Behavior in Computer Security Research.

• How to 0wn the Internet in your Spare Time

• Excerpts from Pfleeger and Pfleeger • Chapter 1 (online)

http://www.eecs.umich.edu/%7Emibailey/publications/dbd2009tr1.pdfhttp://www.eecs.umich.edu/%7Emibailey/publications/dbd2009tr1.pdfhttp://www.eecs.umich.edu/%7Emibailey/publications/dbd2009tr1.pdfhttp://www.eecs.umich.edu/%7Emibailey/publications/dbd2009tr1.pdf

cs645: lecture 1 (computer and) network securitygreenie/cs645/cs645-12-01.pdf · 2012. 4. 4. ·...

Documents