1 / 32

Security

Security. Dominik Streicher Vienna University of Technology. Hierachy of Needs. Figure1: Maslow Pyramide. IT Security. Security is dependability with respect to prevention of unauthorized access and / or handling of information and / or availability [1] .

moya
Télécharger la présentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Dominik Streicher Vienna University of Technology

  2. Hierachyof Needs Figure1: Maslow Pyramide D. Streicher

  3. IT Security Security isdependabilitywithrespecttopreventionofunauthorizedaccessand/orhandlingofinformationand/oravailability[1] D. Streicher

  4. Why do people hack intosystems? • Recognition • Admiration • Curiosity • Power & Gain • Revenge • M.O.N.E.Y D. Streicher

  5. Someinterestingnumbers Malware industryisworth ~100 billion Dollars 80-90% ofthee-mailtraffic out thereisspam 50-80% ofcomputersconnectedtothe Internet infectedwithspyware D. Streicher

  6. Someinterestingnumbers A 26 year-oldmade 20 milliondollarswithspambeforebeingcaught Scarewareattacks (Polizei Virus) on Austrian end-users yielded >4k infections in 2012 (100€ per success) [3] D. Streicher

  7. Goals Figure2: Goals of Security Confidentiality Integrity Availability But also: Authenticity Accountability D. Streicher

  8. Risk Figure 4: Risk • Nothingisever 100 % secure Givenenough time, resourcesand motivationevery systemcanbe breaked D. Streicher

  9. Software Security threats • Malicious Software (Malware) • Programsexploitingsystemsvulnerabilities • Database Security • SQL-Injections • Network Security • Sniffing, MITM • Denialof Service D. Streicher

  10. Software Security threats (2) • Code Injection • XSS, Parameter-Injection • Social Engineering • Buffer Overflow D. Streicher

  11. Countermeasures • Encryption • Symmetric • Asymmetric • Checksums • Access Control • Identification • Authentification • User Education • Increase Software quality • Combine SW and HW D. Streicher

  12. Software Security (concl.) Hard tomeasure (cost/gain) Security is a process Depends on Language Security, Operating System and Hardware Reverse Engineering (Disassembly) D. Streicher

  13. .NET Example D. Streicher

  14. .NET Reflector D. Streicher

  15. Software Security (concl.) Hard tomeasure (cost/gain) Security is a process Depends on Language Security, Operating System and Hardware Reverse Engineering (Disassembly)  Veryhardtoachieve D. Streicher

  16. Hardware Figure3: USB-Dongles • Itactslike a black box • Can beused • tosecure Software • Hardware-Dongle • forauthentification • Access-Cards • Biometrics D. Streicher

  17. Computer Attacks Figure5: Computer • Device Attacks • Monitor • Keyboard • Printer • Computer Attacks • Network • Memory • Processor D. Streicher

  18. Hardware Attacks D. Streicher

  19. Blackbox Attack Reverse Engineering Try all possiblecombinations Extractinnerlogicfromoutput Depends on thecomplexityandprocessor power Not a real threatnowadays D. Streicher

  20. PhysicalAttack Attackparts, whichare not availablethroughthe IO-Pins Hard toimplement D. Streicher

  21. Side-Channel-Attack • Get information from physical implementation • Timing • Power consumption • Electromagnetic leaks • Differential Fault Analysis (DFA) • Introduce faults • Software countermeasures D. Streicher

  22. FPGA Attacks D. Streicher

  23. Readbackattack • Read configuration • JTAG • Programminginterface • XilinxJBits • Countermeasure • Security bit D. Streicher

  24. Cloningof SRAM FPGAs • Configurationin NV-Memory • Countermeasure • NVRAM on chip • Encryption oftheconfigurationfile D. Streicher

  25. Reverse-Engineering oftheBitstreams Bitstream = Configuration Data loadedinto a FPGA Torecover original netlist D. Streicher

  26. Console Security • The best modern protectionis via theinternetandupdates: • Firmware Updates • Internet Banning • Requiresupdatedconsoletoplaynewgames D. Streicher

  27. Consolesecuritypractices D. Streicher

  28. XBOX 360 Operating System onlyrunssignedcode Nounencrypted, executablecodeiswrittentomemory All vulnerabilitiesarepatchedover Internet New consolesaresoldwithlatestupdates D. Streicher

  29. XBOX 360 (2) • 768 bitsofeFuse • Preventdowngradingbyflashingkernel • Tightlycontrolledbootprocess • Write customfirmwareforthe DVD-ROM toplaycopiedgames D. Streicher

  30. XBOX 360 (3) • Reverse Engineering of JTAG • Allowshackerstoset DMA • But JTAG isdisabledbyBootloader • SMC portcouldlaunch DMA, but could not settarget DMA addresses •  Togetherthe JTAG/SMC couldtriggercontrolled DMA D. Streicher

  31. XBOX 360 (4) Figure 6: JTAG D. Streicher

  32. References [1]: Dependable Systems TU-Wien by Stefan Poledna [2]: Computer Security: PrinciplesandPractice byWilliam Stallings, Lawrence Brown [3]: http://www.bmi.gv.at/ Other sources: Security on FPGAs: State-of-the-Art Implementations andAttacksby Thomas Wollinger, Ruhr Universität Bochum, 2004 ACM 1539-9087/04/0800-0534 KeepingSecrets in Hardware: The Microsoft XboxTM Case Study by Andrew Huang, MIT, Cambridge A Hardware-Based Software Protection Systems – Analysis of Security Dongles with Time Meters byIreneusz J. Jozwiakand Krzysztof Marczak, IEEEE Introductionto Embedded Security , Black Hat USA 2004 Briefings byJoe Grand FPGA Design Security Issues:UsingtheispXPGA® Family of FPGAs toAchieve High Design Security IT Security TU-Wien InternetSecurity TU-WIEN Breakthroughsiliconscanningdiscoversbackdoorin militarychip (DRAFT of 05 March 2012) Figure 1,3,5: http://en.wikipedia.org/ Figure 2: Computer Security: Principlesand Practice by William Stallings, Lawrence Brown Figure 4: Introductionto Embedded Security , Black Hat USA 2004 Briefings Figure 6: http://www.free60.org/File:X_Jtag_free60.png D. Streicher

More Related