introduction to computer security - cse at unt |...
TRANSCRIPT
Introduction to Computer Security
Instructor: Mahadevan Gomathisankaran
CSCE 4550/5550, Fall 2009 Recap II 1
Network Layers
CSCE 4550/5550, Fall 2009 Recap II 2
• Layered Model:– Each layer uses only the layer directly below it– Benefit: Different issues to address at different levels of abstraction
OSI Model
Data Unit Layer Function Example (Internet)
Host Layers
Data
7. Application Network process to application HTTP, FTP, SMTP (E-mail)…
6. Presentation Data representation and encryption
5. Session Interhost communication
Segment 4. Transport End-to-end connections and reliability
TCP, UDP
Media Layers
Packet 3. Network Path determination and logical addressing
IP (Internet Protocol)
Frame 2. Data Link Physical addressing Transmission media (ethernet, token ring, …)Bit 1. Physical Media, signal and binary
transmission
IPv4 Packet
CSCE 4550/5550, Fall 2009 Recap II 4
0 3 4 7 8 15 16 31
Vers: 4 IHL ToS Total LengthID (for fragmentation) Flags Fragment Offset
TTL Protocol Header ChecksumIP Source Address
IP Destination Address
Options (usually empty)
Data
Network Topology• Overlay Networks
– built on top of another network– Examples:
• Peer-to-peer networking (Distributed Hash Tables)• Tor – Anonymity Network
• Point to Point Protocol (PPP)– Link Layer Protocol– Standard used for dial-up connections– One host on each side of a link– For sending network packets over serial connections– Really a family of protocols:
• LCP (Link Control Protocol) for negotiating link parameters• NCP (Network Control Protocol) parameters for network layer• HDLP (High-level Data Link Control): link layer protocol
CSCE 4550/5550, Fall 2009 Recap II 5
Network Layer Attacks
• Attack type 1: Field Tampering– Put invalid data in fields– Example 1: Ping of Death
• “Too large” ping packet crashes machine
– Example 2: LAND Attack• Specially crafted packet with both source and destination
set to victim address, with fields that make machine lock up
– Example 3: Jolt Attack (and Teardrop)• Invalid fragmentation of packets that destination can’t
reassemble, so machine freezes waiting for more
CSCE 4550/5550, Fall 2009 Recap II 6
Network Layer Attacks
• Type 2: Spoof the fields– Smurf Attack
CSCE 4550/5550, Fall 2009 Recap II 7
Attacker24.3.29.123
Intermediary123.45.67.89
Victim209.12.17.35
Fake ping packetwith src 209.12.17.35and dest 123.45.67.89 Ping response to
Victim
Network Layer Attacks
• Smurf (DoS Amplification)
CSCE 4550/5550, Fall 2009 Recap II 8
Attacker24.3.29.123
Intermediaries123.45.67.1123.45.67.2123.45.67.3…
Victim209.12.17.35
Fake ping packetwith src 209.12.17.35and dest 123.45.67.255 Many (up to 254) ping
responses to Victim
IP Spoofing
• Counter Measures– Ingress Filtering
• blocking of packets from outside the network with a source address inside the network
• Doesn’t work if intermediary inside border!
– Egress filtering• blocking of packets from inside the network with a
source address that is not inside• Only let out packets with appropriate source addrs
CSCE 4550/5550, Fall 2009 Recap II 9
Network Layer Attacks• Fragmentation: Breaking up long IP packets to fit in a
particular type of low-level link– Example: Slow PPP might use maximum packet length of ≈500 bytes for
responsiveness vs. typical Ethernet length 1468 bytes
• Security issues:– Using fragmentation to avoid an Intrusion Detection System
• Break up a “signature” into multiple fragments• How are overlapping packets re-assembled?
CSCE 4550/5550, Fall 2009 Recap II 10
Transport Layer
• TCP– TCP adds “sessions” or “connections” to the bare IP protocol
CSCE 4550/5550, Fall 2009 Recap II 11
0 7 8 15 16 23 24 31
Source Port Destination PortSequence Number
Acknowledgment NumberData Offset Flags Window
Checksum Urgent PointerOptions
Data
CWR: Congestion window reduced URG: Urgent ptr valid RST: Reset flag
ECN: Explicit congestion notification ACK: ACK valid SYN: Synchronize seq #s
PSH: Push function FIN: Finish of connection
Flags:
TCP Handshake
• Connection Establishment– To establish connection, client must prove that it received the SYN|ACK packet– SYN|ACK packet routed to system with source address from first SYN packet
• Since based on routing, only secure back to the subnet of the source
CSCE 4550/5550, Fall 2009 Recap II 12
Client Server
(SYN, C-Seq, 0)
(SYN|ACK, S-Seq, C-Seq+1)
(ACK, C-Seq+1, S-Seq+1)
(Flags, Seq#, Ack#)
Transport Layer Security• Originally designed to protect web browser to web server
– Invented by Netscape– Generic TCP protection– Authentication: Supports server and client certificates– Confidentiality: Symmetric encryption after key establishment– Integrity: All packets protected with a MAC
• Later versions (SSL v2.1) referred to as TLS– TLS incorporated within application-layer protocols now in
addition to in a sub-application layer• Example 1: IMAP (mail) can be either a separate SSL protected
service/port (imaps: port 993) or negoatiated after plaintext startup in standard IMAP (port 143)
• Example 2: LDAP with similar options (ldap is port 389, ldaps is port 636)
CSCE 4550/5550, Fall 2009 Recap II 13
Firewall
• Designed to forward some packets and filter (not forward) others. – Packet Filter– Application Gateway– Circuit Gateway
CSCE 4550/5550, Fall 2009 Recap II 14
Internet Internal network(s)
Firewall
Outgoing Incoming
IP Tables
CSCE 4550/5550, Fall 2009 Recap II 15
Chain FORWARD (policy DROP)target prot opt source destination
Chain INPUT (policy DROP)target prot opt in out source destination ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHEDACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHEDACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED tcp spt:20ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)target prot opt source destinationChain
Accept incoming sshconnections.
Special case for ftp
ESTABLISHED connectionsare either initiated locally oraccepted through one of thefollowing rules.
All loopback (local) connectionsand control messages are OK.
“Policy” applies to all packetsnot explicitly handled by a rule(so this is “default deny”).
Chains for different packetsources/destinations.
Intrusion Detection Systems
• Categorization by location:– Host-based Intrusion Detection Systems (HIDS)
• Many just watch system/audit logs for suspicious activity• Some with more sophisticated monitoring (pH: monitors
system calls)
– Network-based Intrusion Detection Systems (NIDS)
• Watches all traffic at a certain point (can use a tap)• If just external access point, can miss insider attacks!• On switched networks: Use a “spanning port”• Difficulties with encrypted traffic
CSCE 4550/5550, Fall 2009 Recap II 16
Intrusion Detection Systems• Categorization by type:
– Signature-based• Monitors traffic for known suspicious patterns• Advantages: Fast, few false positives• Drawbacks: Can’t detect novel attacks, must prioritize warnings• Keeping signatures up-to-date leads to subscription services
– Anomaly-based• Tries to learn “typical activity” and flag anomalies• Anything unusual (including novel attacks) can be caught• Drawbacks: Slow and atypical behavior doesn’t necessarily mean bad
behavior (too many false positives)
– Snort and most commercial IDSs are signature-based (sometimes with simple anomaly-based extensions)
CSCE 4550/5550, Fall 2009 Recap II 17
Useful Network Security Tools• Some of the most important tools
– nmap: network portscanner – see what your machines look like to the network
– nessus: vulnerability scanner – combines scanning with knowledge of vulnerabilities
– ethereal/wireshark: Nice packet sniffer– dsniff: Sniffer with special attacks built in, such as ARP
spoofing– snort: Combination packet sniffer and IDS
• Other sources of tools/information– “Top 100 network security tools” at http://sectools.org
CSCE 4550/5550, Fall 2009 Recap II 18
Program Security
• Software is what controls everything– Operating System– System utilities (web servers, shells, etc.)– User programs (accounting software, …)
• Two main questions:– How do we keep programs flaw-free?– How do we protect computing resources from programs
that have flaws?• This includes purposefully malicious flaws!
CSCE 4550/5550, Fall 2009 Recap II 19
Types of S/w Vulnerabilities
CSCE 4550/5550, Fall 2009 Recap II 20
Intentional
MaliciousTrojan Horse
Non-replicating
Replicating (virus)
TrapdoorLogic/Time Bomb
NonmaliciousCovert Channel
StorageTiming
Other
Inadvertent
Validation Error (Incomplete/Inconsistent)Domain Error (Including Object Re-use, Residuals, …)Serialization/aliasing (including TOCTTOU errors)Identification/Authentication InadequateBoundary Condition Violation (incl resource exhaustion, …)Other Exploitable Logic Error
Table from Landwehr, Bull, McDermott, and Choi: ACM Computing Surveys, Sept. 1994.
Buffer Overflow
• Bad code:– Idea: Set auth flag only if user enters the correct password– Works fine if nothing unusual entered– But: What happens if more than 16 characters are entered?
CSCE 4550/5550, Fall 2009 Recap II 21
int checkauth(){
int authorized = 0;char userinput[16];
printf("Enter password: ");gets(userinput);
if (strcmp(userinput, "opensesame") == 0)authorized = 1;
return authorized;}
Stack Smashing
CSCE 4550/5550, Fall 2009 Recap II 22
Return address
Old frame ptr
LocalVariables
High address:
Low address:
Stack
SP
Stack Frame(or activation record)
Stack Smashing
CSCE 4550/5550, Fall 2009 Recap II 23
Return address
Old frame ptr
High address:
Low address:
Stack
AttackCode
• Input from user contains machinecode
• Keeps writing past end of buffer• Overwrites return address with
pointer to user-produced code
Result: User can execute whatevercode they want!!!
Covert Channel• Idea: An attacker wants to smuggle out confidential data
in a non-obvious way• Is a mechanism that, although not designed for
communication, can be exploited to allow information to be communicated from high to low level of security hierarchy.
• Note that this requires willful security violation, but not necessarily “malicious”
• Occurs when a high process can signal to a low process by affecting some shared resource– Example: Stealing bandwidth illegitimately from a legitimate
channel– Another example: Steganography: Alter very small details of multimedia
documents, such as images so as to communicate information in a way not immediately intelligible to anyone casually browsing the documents.
CSCE 4550/5550, Fall 2009 Recap II 24
Covert Channel - Detection• Shared resource matrix
– Find all shared resources and determine which processes can R/W from/to the resources.
– Generate the shared resources matrix
– R: Read, M: Modify, Delete, Create
CSCE 4550/5550, Fall 2009 Recap II 25
Service Process Spy’s ProcessLocked R,M R,M
Confidential Data RRes
ourc
es
Processes that can access resources
Covert Channel - Detection
• Information flow method
CSCE 4550/5550, Fall 2009 Recap II 26
Statement Flow
B:=A from A to B
IF C=1 THEN B:=A from A to B; from C to B
FOR K:=1 to N DO statements END from K to statements
WHILE K>0 DO statements END from K to statements
CASE (exp) val1: statements from exp to statements
B:=f(args) from f to B
OPEN FILE f none
READ(f, X) from file f to X
WRITE(f, X) from X to file f
Malware• Virus: Infects programs/systems by attaching to them
– First wide-spread type of malware– Often used as a generic term (“virus scanners” detect more
than viruses!)
• Trojan Horse: Program with both obvious and non-obvious (and malicious) actions– Different from virus in that it doesn't generally attach to non-
malware
• Worm: Spreads copies through a network– Often passed as a stand-alone program (not attached to
another program as a virus)– Can spread automatically or with user intervention
CSCE 4550/5550, Fall 2009 Recap II 27
Viruses – Basic Concepts
• Term coined by Fred Cohen in 1983• Malicious code attaches to active content
– “Active content” can be program, script, boot sector, library, …
CSCE 4550/5550, Fall 2009 Recap II 28
Start: mov eax,…
Good ProgramStart: mov eax,…
Good Program
VirusVStart:jmp Start
Start:jmp VStart
Good Program
VirusVStart:mov eax,…jmp Start+1
<next instr>
Some possibilities:
or
Worms – Basics
• Specifically spread over a network– Less “disk swapping” now, but more network
connectivity– Not completely different from a virus
• Could infect executables after using network to spread• But usually just install on system as extra, complete files
– Spread can either be automatic or require user work• Often try to trick a user into opening an active attachment• File extensions can change to try to trick user (file.jpg.exe)• Automatic spreading by e-mail (e.g., exploiting bug in Outlook)
or via vulnerable network services (MS IIS, SQL Server, …)
CSCE 4550/5550, Fall 2009 Recap II 29
Controls Against Program Threats
• Developmental methods– Software Engineering
• Operating System• Administrative
CSCE 4550/5550, Fall 2009 Recap II 31
Protections of OS• Protection Features of General OS
– Protecting memories– Protecting files– Protecting execution environment
• Controlled access to objects• User authentication
CSCE 4550/5550, Fall 2009 Recap II 32
Protecting Memory
• Fence• Base/Bound Registers• Tagged Architecture• Segmentation• Paging
CSCE 4550/5550, Fall 2009 Recap II 33
Access Control Mechanisms
• Directory– List per subject
• Access Control List– List per object
• Access Control Matrix– List for every pair of subject and object
• Capability– Unforgeable token
• Procedure-Oriented Access Control– Encapsulated objects
Recap II
Simple
Complex
CSCE 4550/5550, Fall 2009 35
User Authentication• Identifying you are who you claim your are• Basic issue: How do you identify subjects?
– Absolute authentication vs. continuity of authentication– Identity typically relative to a security domain
• Authentication typically based on:– Something you know– password, etc.– Something you have – badge, key, etc. – Something you are – biometrics
• Multi-factor authentication combines multiple techniques
• Policy issues:– Employees/staff must understand authentication issues– Awareness activities to remind regularly
CSCE 4550/5550, Fall 2009 Recap II 36