1 / 42

Computer and Network Security

Computer and Network Security. What’s this course about?. Intro to computer and network security Some challenging fun projects Learn about attacks Learn about preventing attacks Lectures on related topics Application and operating system security Web security

amory
Télécharger la présentation

Computer and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer and Network Security

  2. What’s this course about? • Intro to computer and network security • Some challenging fun projects • Learn about attacks • Learn about preventing attacks • Lectures on related topics • Application and operating system security • Web security • Network security, Mobile app security Not a course on cryptography

  3. Organization (subject to change) • Application and OS security • Buffer overflow project • Vulnerabilities: control hijacking attacks, fuzzing • Prevention: System design, robust coding, isolation • Web security • Web site attack and defenses project • Browser policies, session mgmt, user authentication • HTTPS and web application security • Network security • Network traceroute and packet filtering project • Protocol designs, vulnerabilities, prevention • Malware, botnets, DDoS, network security testing • A few other topics • Cryptography (user perspective), digital rights management

  4. General course info • Prerequisite: • Programming Languages, Operating systems • Textbook: none – reading online • Coursework • 2 projects, final exam

  5. Security Concepts

  6. What is security? • System correctness • If user supplies expected input, system generates desired output • Security • If attacker supplies unexpected input, system does not fail in certain ways

  7. What is security? • System correctness • Good input  Good output • Security • Bad input  Bad output

  8. What is security? • System correctness • More features: better • Security • More features: can be worse

  9. Security properties • Confidentiality • Information about system or its users cannot be learned by an attacker • Integrity • The system continues to operate properly, only reaching states that would occur if there were no attacker • Availability • Actions by an attacker do not prevent users from having access to use of the system

  10. General picture System • Security is about • Honest user (e.g., Alice, Bob, …) • Dishonest Attacker • How the Attacker • Disrupts honest user’s use of the system (Integrity, Availability) • Learns information intended for Alice only (Confidentiality) Alice Attacker

  11. Network security Network Attacker Intercepts and controls network communication System Alice

  12. Web security System Web Attacker Sets up malicious site visited by victim; no control of network Alice

  13. Operating system security OS Attacker Controls malicious files and applications Alice

  14. System Alice Attacker Confidentiality: Attacker does not learn Alice’s secrets Integrity: Attacker does not undetectably corrupt system’s function for Alice Availability: Attacker does not keep system from being useful to Alice

  15. Trends and statistics

  16. The computer security problem • Lots of buggy software (and gullible users) • Money can be made from finding and exploiting vulnerabilities. • Marketplace for vulnerabilities • Marketplace for owned machines (PPI) • Many methods to profit from owned client machines

  17. MITRE tracks vulnerability disclosures Cumulative Disclosures Percentage from Web applications 2010 Source: IBM X-Force, Mar 2011 Data: http://cve.mitre.org/

  18. Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities

  19. Web vs System vulnerabilities • Decline in % web vulns since 2009 • 49% in 2010 -> 37% in 2011. • Big decline in SQL Injection vulnerabilities XSS peak

  20. Mobile Operating Systems Mobile OS Exploits Mobile OS Vulnerabilities Source: IBM X-Force, Mar 2011

  21. Phishing?

  22. Bot networks • Continue to be major problem (e.g., Spam)

  23. The Marketplace forVulnerabilities

  24. Marketplace for Vulnerabilities Option 1: bug bounty programs • Google Vulnerability Reward Program: 3K $ • Mozilla Bug Bounty program: 500$ • Pwn2Own competition: 15K $ Option 2: • ZDI, iDefense: 2K – 25K $

  25. Marketplace for Vulnerabilities Option 3: black market Source: Charlie Miller (securityevaluators.com/files/papers/0daymarket.pdf)

  26. Marketplace for owned machines clients spam bot keylogger Pay-per-install (PPI) services • Own victim’s machine • Download and install client’s code • Charge client PPI service Cost: US 100-180$ / 1000 machines Asia 7-8$ / 1000 machines Victims Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf)

  27. Attacker Goals, Examples

  28. The computer security problem • Lots of buggy software (and gullible users) • Money can be made from finding and exploiting vulnerabilities. • Marketplace for vulnerabilities • Marketplace for owned machines (PPI) • Many methods to profit from owned client machines

  29. Why own machines: IP address and bandwidth stealing Attacker’s goal: look like a random Internet user Use the infected machine’s IP address for: • Spam (e.g. the storm botnet) Spamalytics: 1:12M pharma spams leads to purchase 1:260K greeting card spams leads to infection • Denial of Service: • Services: 1 hour (20$), 24 hours (100$) • Click fraud (e.g. Clickbot.a)

  30. Why own machines: Steal user credentials keylog for banking passwords, web passwords, gaming pwds Example: SilentBanker (2007) User requests login page Malware injects Javascript Bank sends login page needed to log in Bank When user submits information, also sent to attacker Similar mechanism used by Zeus botnet

  31. Why own machines: Spread to isolated systems Example: Stuxtnet Windows infection ⇒ Siemens PCS 7 SCADA control software on Windows ⇒ Siemens device controller on isolated network

  32. Drive-by Downloads

  33. Web attack toolkit: MPack • Basic setup • Toolkit hosted on web server • Infects pages on that server • Page visitors get infected • Features • Customized: determines exploit on the fly, based on user’s OS, browser, etc • Easy to use: management console provides stats on infection rates • Customer care toolkit can be purchased with one-year support contract!

  34. Insider attacks: example Hidden trap door in Linux(Nov. 2003) • Allows attacker to take over a computer • Practically undetectable change (uncovered via CVS logs) Inserted line in wait4() Looks like a standard error check, but … if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; See: http://lwn.net/Articles/57135/

  35. What can you trust?

  36. Ken Thompson • What code can we trust? • Consider "login" or "su" in Unix • Is RedHat binary reliable? • Does it send your passwd to someone? • Can't trust binary so check source, recompile • Read source code or write your own • Does this solve problem? Reflections on Trusting Trust, http://www.acm.org/classics/sep95/

  37. Compiler backdoor • This is the basis of Thompson's attack • Compiler looks for source code that looks like login program • If found, inserts login backdoor (allow special user to log in) • How do we solve this? • Inspect the compiler source

  38. C compiler is written in C • Change compiler source S compiler(S) { if (match(S, "login-pattern")) { compile (login-backdoor) return } if (match(S, "compiler-pattern")) { compile (compiler-backdoor) return } .... /* compile as usual */ }

  39. Clever trick to avoid detection • Compile this compiler and delete backdoor tests from source • Someone can compile standard compiler source to get new compiler, then compile login, and get login with backdoor • Simplest approach will only work once • Compiling the compiler twice might lose the backdoor • But can making code for compiler backdoor output itself • (Can you write a program that prints itself? Recursion thm) • Read Thompson's article • Short, but requires thought

  40. Concluding …

  41. Ethical use of security information • We discuss vulnerabilities and attacks • Most vulnerabilities have been fixed • Some attacks may still cause harm • Do not try these at home or anyplace else • Purpose of this class • Learn to prevent malicious attacks • Use knowledge for good purposes

  42. If you remember only one thing from this course: A vulnerability that is “too complicated for anyone to ever find” will be found and exploited ! We hope you remember more than one thing

More Related