chapter 15 security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 15: Security PowerPoint Presentation
Download Presentation
Chapter 15: Security

Chapter 15: Security

1163 Vues Download Presentation
Télécharger la présentation

Chapter 15: Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter 15: Security

  2. Chapter 15: Security • The Security Problem • Program Threats • System and Network Threats • Cryptography as a Security Tool • User Authentication • Implementing Security Defenses • Firewalling to Protect Systems and Networks • Computer-Security Classifications • An Example: Windows XP

  3. Objectives • To discuss security threats and attacks • To explain the fundamentals of encryption, authentication, and hashing • To examine the uses of cryptography in computing • To describe the various countermeasures to security attacks

  4. The Security Problem • A system is secure if its resources are used and accessed as intended under all circumstances. • Total security cannot be achieved.

  5. The Security Problem • Security must consider external environment of the system, and protect the system resources • Intruders (crackers) attempt to breach security • Threat is potential security violation • Eg, a discovery of a vulnerability • Attack is attempt to breach security • Attack can be accidental or malicious • Easier to protect against accidental than malicious misuse

  6. Security Violations • Categories • Breach of confidentiality • Involves unauthorized reading of data (theft of information) • Ex: stealing credit-card info or identity info for identity theft • Breach of integrity • Unauthorized modification of data • Can result in passing of liability to an innocent party • Can result in modification of commercial application • Breach of availability • Unauthorized destruction of data • Ex: defacing of a web page • Often for bragging rights

  7. Security Violations • Categories (cont) • Theft of service • Unauthorized use of resources • Ex: using someones computer as a porn server • Denial of service • Preventing legitimate use of the system • DOS is sometimes accidental • The original internet worm became a DOS when a bug failed to delay its rapid spread.

  8. Security Violations • Methods(see next slide) • Masquerading (breach authentication) • One participant in a communication pretends to be someone else • Could be another host or person. • Goal is to gain access that they would not normally be allowed • Or could try to escalate their privileges • Replay attack • Replay a captured exchange of data • Sometimes the replay is the attack: ex: repeat of a request to transfer money • Message modification: replace some data in the replay to obtain access for unauthorized user. • Man-in-the-middle attack • Attacker sits in the data flow of a communication • Masquerades as the sender to the receiver and vice versa • Session hijacking • An active comunication session is intercepted.

  9. Standard Security Attacks

  10. Security Measure Levels • Security must occur at four levels to be effective: • Physical • Physically secure the computers • Human • Avoid social engineering • Phishing: a legitimate-looking e-mail or web page misleads a user into entering confidential information • dumpster diving: looking through trash, finding phone books, etc • Operating System • The system must protect itself from accidental or purposeful security breaches. • Ex: a runaway process • Stack overflow • Network • Intercepting data traveling between comptuers • Security is as week as the weakest chain

  11. Program Threats • The most common goal of crackers: • Write a program that creates a breach of security • Or cause a normal process to change its behavior and create a breach • Example: • Useful to log into a system without authorization • More useful to leave behind a back-door daemon that provides info or allows easy access even if the original exploit is blocked.

  12. Program Threats • Trojan Horse • Code segment that misuses its environment • Exploits mechanisms for allowing programs written by users to be executed by other users • Spyware, pop-up browser windows, covert channels • Examples • Text-editor program may include code to search the file to be edited for certain keywords • These are then saved in a hidden file accessible to the creator of the text editor.

  13. Program Threats • Trojan Horse more examples: • Long search paths (the PATH environmental variable) • If not every path is secure, could execute wrong program • Example: use of the "." in the path (search current directory) • If you go to a friend's directory and execute a command, the command may be run from her directory • This would give the program her permissions • Could delete her files, etc.

  14. Program Threats • Trojan Horse (cont) • More examples: • Example: a program that emulates a login program • User logs in at a terminal and notices that he as apparently mistyped his password • He tries again and is successful • What really happened? His account name/password were stolen by the login emulator that was left running by the thief. • The emulator stored his information, printed out a login error message, and exited. • User then got the real prompt. • Protection: • Use non-trappable key sequence (ctrl-alt-delete) • Have the OS print a usage message at the end of an interactive session instead of just a new login prompt

  15. Program Threats • Trojan Horse (cont) • More examples: • Spyware. • Sometimes accompanies a program that the user has chosen to install • Sometimes with freeware/shareware sometimes with commercial software • Goals: • Download ads to display on the user's system • Create pop-up windows when certain sites are visited • Capture info from the user's system and return it to a central site. • Cover Channel attack • Surreptitious communication occurs • A spyware daemon is loaded • It contacts a central site and is given a message and a list of recipient addresses • It delivers the spam message to those users from the infected machine • 80% of spam was delivered this way in 2004!

  16. Program Threats • Trojan Horse more examples (cont) • Spyware. • Real problem: violation of the principle of least privilege • Usually a user of an operating system does not need to install network daemons • Such daemons are installed via two mistakes • First: a user may choose to run with more privileges than necessary (eg, as administrator) • This allows programs that she runs to have more access to the system than is necessary • Second: an OS may allow by default more privileges than a normal user needs.

  17. Program Threats • Trap Door • The designer of a program or system might leave a hole in the software that only she is capable of using. • Used in the movie War Games. • Example: program recognizes a specific user identifier or password that circumvents normal security procedures • Example: programmer for a bank might include rounding errors in their code and have the resulting half-cent deposited in their account • Could be included in a compiler • Compiler generates standard object code • Also includes the trap door. • Hard to find: searching the source code will not reveal the trap door; it is only in the compiler!

  18. Program Threats • Logic Bomb • Program that initiates a security incident under certain circumstances • Under normal circumstances there is no security hole. • When a predefined set of parameters were met, the security hole is created. • Example: programmer writes code that checks to see if she is still employed • If not, a daemon is spawned to allow remote access or to damage the site.

  19. Program Threats • Stack and Buffer Overflow • Most common technique for attacker from outside the system to gain unauthorized access to the target system. • Exploits a bug in a program • overflow either the stack or memory buffers • Usually programmer neglected to code bounds checking on an input field • Attacker sends more data than the program expects

  20. Program Threats • Stack and Buffer Overflow • Using trial & error (or examining code if open source), attacker writes a program to do the following: • Overflow an input field, command-line argument, or input buffer for a program (like a network daemon) until it writes into the stack • Overwrite the current return address and insert the address of the exploit code loaded in step 3. • Write a simple set of code for the next space in the stack that includes the commands that the attacker wishes to execute • Example to spawn a shell • Result is a root shell or other privileged command execution.

  21. Program Threats • Stack and Buffer Overflow example: • Web-page form expects a user name in a field • Attacker sends the user name, plus extra characters to overflow the buffer and reach the stack • Plus, a new return address to load onto the stack, plus the code the attacker wants to run. • When the buffer-reading subroutine returns from execution, the return address is the exploit code and the code is run. • See next slide

  22. C Program with Buffer-overflow Condition #include <stdio.h> #define BUFFER SIZE 256 int main(int argc, char *argv[]) { char buffer[BUFFER SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; } } Creates a character array Copies the contents of the command line parameter into the buffer. This works fine as long as the input parameter is less than BUFFER SIZE (also need one byte to store '\0')

  23. C Program with Buffer-overflow Condition #include <stdio.h> #define BUFFER SIZE 256 int main(int argc, char *argv[]) { char buffer[BUFFER SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; } } Creates a character array Copies the contents of the command line parameter into the buffer. What if the command line parameter is too long? strcpy will copy from argv[1] until it hits a '\0' or until the program crashes!

  24. C Program with Buffer-overflow Condition #include <stdio.h> #define BUFFER SIZE 256 int main(int argc, char *argv[]) { char buffer[BUFFER SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; } } Creates a character array Copies the contents of the command line parameter into the buffer. To prevent:use strncpy instead of strcpy: strncopy(buffer, argv[1], sizeof(buffer)-1);

  25. C Program with Buffer-overflow Condition • Assume this type of stack: How is this used? See next slide! buffer When the buffer space is overwritten, the data goes into the return address. Return address Return val When the subroutine returns, goes to the address that was overwritten.

  26. Layout of Typical Stack Frame The saved frame pointer allows the frame pointer to be restored when the subroutine returns. (ie, local variables)

  27. Buffer-overflow attack Cracker's goal: replace the return address in the stack frame so that it now points to the code segment containing the attacking program

  28. Modified Shell Code Cracker writes below code. execvp creates a shell process. This process has all the permissions that the original program had. The below code must be compiled and its assembly language modified so that it can fit into a stack frame. The code will be a binary sequence of code that is the heart of the attack. #include <stdio.h> int main(int argc, char *argv[]) { execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL); return 0; }

  29. C Program with Buffer-overflow Condition Consider this code again. Assume that the resulting stack frame is organized as shown on the next slide. #include <stdio.h> #define BUFFER SIZE 256 int main(int argc, char *argv[]) { char buffer[BUFFER SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; } }

  30. Hypothetical Stack Frame Add the location of buffer[0] to the end of the code so that it overwrites the return address field. 5. Start the attack by entering your modified attack code as the command line parameter. 2. Append the attack code to the buffer data. Fill the attack code with the right number of NO_OP instructions to fill the stack frame right up to the return address 4. Now when the function returns, it will jump to the address of buffer[0] instead and run the attacker's code. Using a debugger, the cracker finds the address of buffer[0] in the stack. That address will become the location of the code the attacker wants executed. After attack Before attack

  31. Buffer-overflow attack • Once a cracker has created a buffer-overflow or stack-overflow exploit, he can release it on the net. • A script kiddie, someone with rudimentary computer skills, can then employ the exploit • A buffer-overflow exploit can be run between systems and over allowed communication channels. • Can use the exploit within protocols that are expected to be used to communicate with the target machine • Are thus hard to detect

  32. Buffer-overflow attack • Solution1: • CPU can have a feature that disallows execution of code in a stack section of memory. • Recent Sun sparc chips have this; recent versions of solaris use it. • Return address can still be modified, but when code in a stack segment attempts to execute, an automatic exception is generated. • Solution 2: • AMD/Intex X86 chips have the NX feature • New bit added to the page tables of CPUs • Marks the associated page as nonexecutable • Instructions cannot be read from this page • Linux and Windows XP SP2 use this bit.

  33. Program Threats (Cont.) • Viruses • Code fragment embedded in legitimate program • Very specific to CPU architecture, operating system, applications • Self-replicating and designed to "infect" other programs • Used to modify or destroy files and programs • Windows more susceptible than UNIX • In UNIX executable programs are protected from being written on by the OS • Usually borne via email or as a macro • Spam is the most common vector • Can spread via downloaded files

  34. Program Threats (Cont.) • Viruses • Macro viruses • Takes advantage of MS Office files • These documents can contain macros (VB programs) • Macros are executed automatically when the Office program is opened • Visual Basic Macro to reformat hard drive Sub AutoOpen() Dim oFS Set oFS = CreateObject(’’Scripting.FileSystemObject’’) vs = Shell(’’ /k format c:’’,vbHide) End Sub

  35. Program Threats (Cont.) • Virus dropper inserts virus onto the system • This is often a Trojan horse program whose real purpose is to insert the virus • Many categories of viruses, literally many thousands of viruses • File • Infects a system by appending itself to a file. • Changes the start of the program so that execution jumps to its code • After it executes, it returns control to the program so that its execution is not noticed. • Boot • Infects the boot sector of the system • Executes every time the system is booted, before OS is loaded. • Watches for other bootable media (eg, floppy disks) and infects them. • Do not appear in the file system. • See next slide.

  36. A Boot-sector Computer Virus

  37. Viruses (cont) • Virus Categories (cont) • Macro • Most common are MS Office macro viruses • Source code • Looks for source code and modifies it to include the virus and to help spread the virus. • Polymorphic • Virus changes each time it is installed to avoid detection by anit-virus software. • Changes do not affect the virus's functionality, just its signature. • A signature is a series of bytes that make up the code; can be used to identify the virus. • Encrypted • Virus is encrypted and includes decryption code along with the encrypted virus to avoid detection. • Virus first decrypts itself, then executes.

  38. Viruses (cont) • Virus Categories (cont) • Stealth • Modifies parts of the system that could be used to detect it. • Eg, could modify the read system call so that if the file it has modified is read, the original form of the code is returned rather than the infected code. • Tunneling • Virus attempts to bypass detection by an antivirus scanner by installing itself in the interrupt-handler chain or a device driver • Multipartite • Infects multiple parts of a system including boot sectors, memory, and files • Makes it difficult to detect • Armored • Coded to make itself hard for antivirus researchers to unravel and understand. • Can also be compressed to avoid detection • Also virus droppers and other full files that are part of the virus infestation are hidden via file attributes or unviewable file names.

  39. Viruses (cont) • Monoculture • Majority of computers use a version of the Windows OS • Does this make it easier for viruses to spread?

  40. System and Network Threats • System and Network threats involve the abuse of services and network connections. • Sometimes a system and network attack is used to launch a program attack, sometimes vice versa. • Masquerading and replay attacks are also common over networks • These attacks are more effective and harder to counter • Involve multiple systems • Any one system often cannot trace the sender of the attack.

  41. System and Network Threats • Worms – • use spawn mechanism to create copies of itself • Uses up system resources and perhaps locking out other processes • Especially bad on a network; worms reproduce themselves among systems and can shut down the entire network • standalone program

  42. System and Network Threats • Internet worm • November 2, 1988. Robert Tappan Morris Jr., a first-year Cornell graduate student unleashed the first worm on the internet. • Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs • Targeted Sun’s Sun 3 workstations and VAX computers running variants of Version 4 BSD UNIX • Within a few hours it had consumed system resources to the point of bringing down the infected machines. • How it spread • Morris chose for the initial infection an Internet host left open for and accessible to outside users • From there the worm exploited flaws in the UNIX OS security routines • Also took advantage of UNIX utilities that simplify resource sharing in LANs. • Thereby gained access to other connected sites.

  43. System and Network Threats • Internet worm • Worm was composed of two parts: • Grappling hook (or bootstrap or vector) program uploaded main worm program • named i1.c • Consisted of 99 lines of C code. • Was compiled and run on each machine it accessed. • Once created on the attacked machine, this program connected to the machine where it originated and uploaded a copy of the main worm onto the hooked machine

  44. System and Network Threats • Internet worm • Worm was composed of two parts: • Main program • Searched for other machines to which the newly infected system could connect easily • Used the UNIX networking utility rsh for easy remote task execution. • By setting up special files that list host-login name pairs, users can omit entering a password each time they access a remote account on the paired list • The worm searched these special files for site names that would allow remote execution without a password • These the worm uploaded the grappling hook to

  45. System and Network Threats • Internet worm: other exploits • finger • finger is an electronic telephone directory. • Runs as a background process (daemon) for each BSD site • Responds to queries throughout the internet • The worm executed a buffer-overflow attack on finger • Queried finger with a 536-byte string • This exceeded the buffer allocated for input and overwrote stack frame. • Instead of returning to main, finger returned to a procedure within the invading 536-byte string now on the stack • The new procedure executed /bin/sh and gave the worm a remote shell on the machine

  46. System and Network Threats • Internet worm: other exploits • sendmail • Debugging code in sendmail permits testers to verify and display the state of the mail system • This option was useful to sys-ads and was often left on • Worm did a call to debug that, instead of specifying a user address, issued a set of commands that mailed and executed a copy of the grappling-hook program

  47. System and Network Threats • Internet worm: other exploits • passwords • Worm systematically attempted to discover user passwords • Began by trying simple cases of no password or of passwords constructed of account-user-name combinations • Then used an internal dictionary of 432 favorite password choices • Then tried all words in the standard UNIX on-line dictionary. • When worm got access to an account, it looked for rsh data files and used them as described before

  48. The Morris Internet Worm

  49. The Morris Internet Worm • Spreading • With each new access, the worm searched for already existing copies of itself • If found one, the new copy exited. • In every 7th instance, did not exit. • Containing • Cooperative efforts over the internet developed solutions quickly • By evening of the second day, Nov 3, methods of halting the invading program were circulated to sys-ads via the internet • Within days, patches were available • Result • Morris: 3 years probation, 400 hours community service, $10,000 fine, over $100,000 in legal fees

  50. W32.Sobig.F@mm Internet Worm • August 2003, was the 5th version of the Sobig worm • Released by persons unknown • Fastest-spreading worm released to date • Infected hundreds of thousands of computers and 1 in 17 e-mail messages on the internet. • Was launched by being uploaded to a porn newsgroup via an account created with a stolen credit card. • Disguised as a photo • Targeted MS systems