introduction to computer security - cse at unt |...

Introduction to Computer Security

Instructor: Mahadevan Gomathisankaran

[email protected]

CSCE 4550/5550, Fall 2009 Recap II 1

mailto:[email protected]�

Network Layers


• Layered Model:– Each layer uses only the layer directly below it– Benefit: Different issues to address at different levels of abstraction

OSI Model

Data Unit Layer Function Example (Internet)

Host Layers

Data

7. Application Network process to application HTTP, FTP, SMTP (E-mail)…

6. Presentation Data representation and encryption

5. Session Interhost communication

Segment 4. Transport End-to-end connections and reliability

TCP, UDP

Media Layers

Packet 3. Network Path determination and logical addressing

IP (Internet Protocol)

Frame 2. Data Link Physical addressing Transmission media (ethernet, token ring, …)Bit 1. Physical Media, signal and binary

transmission

Networking Layers


Source: Wikipedia

IPv4 Packet


0 3 4 7 8 15 16 31

Vers: 4 IHL ToS Total LengthID (for fragmentation) Flags Fragment Offset

TTL Protocol Header ChecksumIP Source Address

IP Destination Address

Options (usually empty)

Data

Network Topology• Overlay Networks

– built on top of another network– Examples:

• Peer-to-peer networking (Distributed Hash Tables)• Tor – Anonymity Network

• Point to Point Protocol (PPP)– Link Layer Protocol– Standard used for dial-up connections– One host on each side of a link– For sending network packets over serial connections– Really a family of protocols:

• LCP (Link Control Protocol) for negotiating link parameters• NCP (Network Control Protocol) parameters for network layer• HDLP (High-level Data Link Control): link layer protocol


Network Layer Attacks

• Attack type 1: Field Tampering– Put invalid data in fields– Example 1: Ping of Death

• “Too large” ping packet crashes machine

– Example 2: LAND Attack• Specially crafted packet with both source and destination

set to victim address, with fields that make machine lock up

– Example 3: Jolt Attack (and Teardrop)• Invalid fragmentation of packets that destination can’t

reassemble, so machine freezes waiting for more



• Type 2: Spoof the fields– Smurf Attack


Attacker24.3.29.123

Intermediary123.45.67.89

Victim209.12.17.35

Fake ping packetwith src 209.12.17.35and dest 123.45.67.89 Ping response to

Victim


• Smurf (DoS Amplification)


Attacker24.3.29.123

Intermediaries123.45.67.1123.45.67.2123.45.67.3…

Victim209.12.17.35

Fake ping packetwith src 209.12.17.35and dest 123.45.67.255 Many (up to 254) ping

responses to Victim

IP Spoofing

• Counter Measures– Ingress Filtering

• blocking of packets from outside the network with a source address inside the network

• Doesn’t work if intermediary inside border!

– Egress filtering• blocking of packets from inside the network with a

source address that is not inside• Only let out packets with appropriate source addrs


Network Layer Attacks• Fragmentation: Breaking up long IP packets to fit in a

particular type of low-level link– Example: Slow PPP might use maximum packet length of ≈500 bytes for

responsiveness vs. typical Ethernet length 1468 bytes

• Security issues:– Using fragmentation to avoid an Intrusion Detection System

• Break up a “signature” into multiple fragments• How are overlapping packets re-assembled?


Transport Layer

• TCP– TCP adds “sessions” or “connections” to the bare IP protocol


0 7 8 15 16 23 24 31

Source Port Destination PortSequence Number

Acknowledgment NumberData Offset Flags Window

Checksum Urgent PointerOptions

Data

CWR: Congestion window reduced URG: Urgent ptr valid RST: Reset flag

ECN: Explicit congestion notification ACK: ACK valid SYN: Synchronize seq #s

PSH: Push function FIN: Finish of connection

Flags:

TCP Handshake

• Connection Establishment– To establish connection, client must prove that it received the SYN|ACK packet– SYN|ACK packet routed to system with source address from first SYN packet

• Since based on routing, only secure back to the subnet of the source


Client Server

(SYN, C-Seq, 0)

(SYN|ACK, S-Seq, C-Seq+1)

(ACK, C-Seq+1, S-Seq+1)

(Flags, Seq#, Ack#)

Transport Layer Security• Originally designed to protect web browser to web server

– Invented by Netscape– Generic TCP protection– Authentication: Supports server and client certificates– Confidentiality: Symmetric encryption after key establishment– Integrity: All packets protected with a MAC

• Later versions (SSL v2.1) referred to as TLS– TLS incorporated within application-layer protocols now in

addition to in a sub-application layer• Example 1: IMAP (mail) can be either a separate SSL protected

service/port (imaps: port 993) or negoatiated after plaintext startup in standard IMAP (port 143)

• Example 2: LDAP with similar options (ldap is port 389, ldaps is port 636)


Firewall

• Designed to forward some packets and filter (not forward) others. – Packet Filter– Application Gateway– Circuit Gateway


Internet Internal network(s)

Firewall

Outgoing Incoming

IP Tables


Chain FORWARD (policy DROP)target prot opt source destination

Chain INPUT (policy DROP)target prot opt in out source destination ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHEDACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHEDACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED tcp spt:20ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)target prot opt source destinationChain

Accept incoming sshconnections.

Special case for ftp

ESTABLISHED connectionsare either initiated locally oraccepted through one of thefollowing rules.

All loopback (local) connectionsand control messages are OK.

“Policy” applies to all packetsnot explicitly handled by a rule(so this is “default deny”).

Chains for different packetsources/destinations.

Intrusion Detection Systems

• Categorization by location:– Host-based Intrusion Detection Systems (HIDS)

• Many just watch system/audit logs for suspicious activity• Some with more sophisticated monitoring (pH: monitors

system calls)

– Network-based Intrusion Detection Systems (NIDS)

• Watches all traffic at a certain point (can use a tap)• If just external access point, can miss insider attacks!• On switched networks: Use a “spanning port”• Difficulties with encrypted traffic


Intrusion Detection Systems• Categorization by type:

– Signature-based• Monitors traffic for known suspicious patterns• Advantages: Fast, few false positives• Drawbacks: Can’t detect novel attacks, must prioritize warnings• Keeping signatures up-to-date leads to subscription services

– Anomaly-based• Tries to learn “typical activity” and flag anomalies• Anything unusual (including novel attacks) can be caught• Drawbacks: Slow and atypical behavior doesn’t necessarily mean bad

behavior (too many false positives)

– Snort and most commercial IDSs are signature-based (sometimes with simple anomaly-based extensions)


Useful Network Security Tools• Some of the most important tools

– nmap: network portscanner – see what your machines look like to the network

– nessus: vulnerability scanner – combines scanning with knowledge of vulnerabilities

– ethereal/wireshark: Nice packet sniffer– dsniff: Sniffer with special attacks built in, such as ARP

spoofing– snort: Combination packet sniffer and IDS

• Other sources of tools/information– “Top 100 network security tools” at http://sectools.org


http://sectools.org/�

Program Security

• Software is what controls everything– Operating System– System utilities (web servers, shells, etc.)– User programs (accounting software, …)

• Two main questions:– How do we keep programs flaw-free?– How do we protect computing resources from programs

that have flaws?• This includes purposefully malicious flaws!


Types of S/w Vulnerabilities


Intentional

MaliciousTrojan Horse

Non-replicating

Replicating (virus)

TrapdoorLogic/Time Bomb

NonmaliciousCovert Channel

StorageTiming

Other

Inadvertent

Validation Error (Incomplete/Inconsistent)Domain Error (Including Object Re-use, Residuals, …)Serialization/aliasing (including TOCTTOU errors)Identification/Authentication InadequateBoundary Condition Violation (incl resource exhaustion, …)Other Exploitable Logic Error

Table from Landwehr, Bull, McDermott, and Choi: ACM Computing Surveys, Sept. 1994.

Buffer Overflow

• Bad code:– Idea: Set auth flag only if user enters the correct password– Works fine if nothing unusual entered– But: What happens if more than 16 characters are entered?


int checkauth(){

int authorized = 0;char userinput[16];

printf("Enter password: ");gets(userinput);

if (strcmp(userinput, "opensesame") == 0)authorized = 1;

return authorized;}

Stack Smashing


Return address

Old frame ptr

LocalVariables

High address:

Low address:

Stack

SP

Stack Frame(or activation record)

Stack Smashing


Return address

Old frame ptr

High address:

Low address:

Stack

AttackCode

• Input from user contains machinecode

• Keeps writing past end of buffer• Overwrites return address with

pointer to user-produced code

Result: User can execute whatevercode they want!!!

Covert Channel• Idea: An attacker wants to smuggle out confidential data

in a non-obvious way• Is a mechanism that, although not designed for

communication, can be exploited to allow information to be communicated from high to low level of security hierarchy.

• Note that this requires willful security violation, but not necessarily “malicious”

• Occurs when a high process can signal to a low process by affecting some shared resource– Example: Stealing bandwidth illegitimately from a legitimate

channel– Another example: Steganography: Alter very small details of multimedia

documents, such as images so as to communicate information in a way not immediately intelligible to anyone casually browsing the documents.


Covert Channel - Detection• Shared resource matrix

– Find all shared resources and determine which processes can R/W from/to the resources.

– Generate the shared resources matrix

– R: Read, M: Modify, Delete, Create


Service Process Spy’s ProcessLocked R,M R,M

Confidential Data RRes

ourc

es

Processes that can access resources

Covert Channel - Detection

• Information flow method


Statement Flow

B:=A from A to B

IF C=1 THEN B:=A from A to B; from C to B

FOR K:=1 to N DO statements END from K to statements

WHILE K>0 DO statements END from K to statements

CASE (exp) val1: statements from exp to statements

B:=f(args) from f to B

OPEN FILE f none

READ(f, X) from file f to X

WRITE(f, X) from X to file f

Malware• Virus: Infects programs/systems by attaching to them

– First wide-spread type of malware– Often used as a generic term (“virus scanners” detect more

than viruses!)

• Trojan Horse: Program with both obvious and non-obvious (and malicious) actions– Different from virus in that it doesn't generally attach to non-

malware

• Worm: Spreads copies through a network– Often passed as a stand-alone program (not attached to

another program as a virus)– Can spread automatically or with user intervention


Viruses – Basic Concepts

• Term coined by Fred Cohen in 1983• Malicious code attaches to active content

– “Active content” can be program, script, boot sector, library, …


Start: mov eax,…

Good ProgramStart: mov eax,…

Good Program

VirusVStart:jmp Start

Start:jmp VStart

Good Program

VirusVStart:mov eax,…jmp Start+1

<next instr>

Some possibilities:

or

Worms – Basics

• Specifically spread over a network– Less “disk swapping” now, but more network

connectivity– Not completely different from a virus

• Could infect executables after using network to spread• But usually just install on system as extra, complete files

– Spread can either be automatic or require user work• Often try to trick a user into opening an active attachment• File extensions can change to try to trick user (file.jpg.exe)• Automatic spreading by e-mail (e.g., exploiting bug in Outlook)

or via vulnerable network services (MS IIS, SQL Server, …)


Current Threats


Controls Against Program Threats

• Developmental methods– Software Engineering

• Operating System• Administrative


Protections of OS• Protection Features of General OS

– Protecting memories– Protecting files– Protecting execution environment

• Controlled access to objects• User authentication


Protecting Memory

• Fence• Base/Bound Registers• Tagged Architecture• Segmentation• Paging


Paged Segmentation

Recap IICSCE 4550/5550, Fall 2009 34

Access Control Mechanisms

• Directory– List per subject

• Access Control List– List per object

• Access Control Matrix– List for every pair of subject and object

• Capability– Unforgeable token

• Procedure-Oriented Access Control– Encapsulated objects

Recap II

Simple

Complex

CSCE 4550/5550, Fall 2009 35

User Authentication• Identifying you are who you claim your are• Basic issue: How do you identify subjects?

– Absolute authentication vs. continuity of authentication– Identity typically relative to a security domain

• Authentication typically based on:– Something you know– password, etc.– Something you have – badge, key, etc. – Something you are – biometrics

• Multi-factor authentication combines multiple techniques

• Policy issues:– Employees/staff must understand authentication issues– Awareness activities to remind regularly


introduction to computer security - cse at unt |...

Documents